FAQ

Green Rain is a suite of software that provides you with a highly detailed analysis of the source code of your application. Identify exactly how and where your application integrates into other services and applications.

Green Rain consists of series of ‘engines’ that allow Fedr8 to forensically analyse your application. Each engine dives deeper in to the source code providing an extremely granular view of the application. To do this, Fedr8 use a mixture of established mathematical principles, proven big data analytical components and cutting edge lexical analysis developed by our data scientists.

After uploading your application in to Green Rain, the various engines set to work to deconstruct your application into many, often millions of tiny pieces (tokens), essentially uncovering the DNA of your application. Each token is assigned metadata that allows us to consistently describe each component of the application in a consistent manner.

These tokens and the associated metadata then populate a complex database, against which a series of highly complex queries are performed to uncover the information detailed within this report.

The Method by which the analysis occurs is described below:

The report will provide you with a deep insight into your application and will help you answer the following questions:

• How much effort is required to migrate and integrate my application into new platforms?
• How much will it cost to migrate and integrate my application into new platforms?
• How easy is it for me to continue development and support of my application?

Furthermore, a detailed statement of work is provided within Green Rain to enable accelerated digital transformation of your application. For each section Green Rain details the exact lines of code requiring remediation which can be sorted by complexity and assigned to specific developers to enable parallel refactoring of your application with optimised resource alignment to each task.

This information can provide you with significant benefits, which include, but are not limited to:

• Accelerate digital transformation
• Reduce cost of digital transformation
• Increase your competitive advantage when acquiring software companies and assets
• Optimise your ongoing application development and management strategies

We know your code is extremely important to you and your business, and we're very protective of it. After all, Fedr8's code is hosted on Fedr8, too!

Source Code Storage

Fedr8 do not store your source in their system. As the source code is uploaded we tokenize the data and store the tokens in a data base. The tokens are not in a human readable format and cannot be reconstituted in to the original source code.

Communications

All private data exchanged with Fedr8 and Green Rain is always transmitted over SSL (which is why your dashboard is served over HTTPS, for instance). Likewise all internal communication between Green Rain is completed over HTTPS and authenticated with OAuth Tokens.

File system and backups

As we don’t store your data in its native format on a permanent basis we do not use any traditional file systems and as such do not need to back them up. The tokenized data we hold is within a Database Service that is replicated and backed up across multiple servers and storage systems. The databases are clustered for availability and data integrity.

Employee access

No Fedr8 employees ever access private repositories unless required to for support reasons. Staff working directly in the database access the compressed database, your code is never presented as plain text files like it would be in a local clone. Support staff may sign into your account to access settings related to your support issue. It is not possible for our staff to pull a clone of your code. When working a support issue we do our best to respect your privacy as much as possible, we only access the files and settings needed to resolve your issue.

Maintaining security

We protect your login from brute force attacks with rate limiting. Login information is always sent over SSL.

Contact Us

Have a question, concern, or comment about Green Rain security? Please contact Fedr8 support.

Please refer to our Privacy Policy

Calculations of defect discovery and remediation

In order to calculate effort and costs of discovery and remediation, we make a number of assumptions based upon our experience in reviewing and developing code. We are also able to use data that Green Rain collects as the application is analysed.

We make a comparison between manual discovery which would consist of a developer manually reviewing the code, versus an automated discovery using Green Rain .

Measurements in the automated discovery step give impact to subsequent defect remediation by enabling distribution of tasks and a number of developers working in parallel. The process differences and assumed resources involved are described below.

	Discovery	Remediation
Manual	1x Senior developer 0.3 minutes per each line of code to review in a conventional debugger tool	1x Senior developer every defect would be remediated in place as it would be found during discovery slowing the process down
Automated	1x Senior developer up to 1 day for code upload into Fedr8 software suite and review of results Cost of licence $20,000.00	1x Senior, 1x Mid and 1x Junior tasks would be distributed per developer tiers based on complexity time to value would be based upon the developer that needs the longest time to complete their work

We assign different remediation velocity for each developer tier and assume fixed working hours per day to calculate total activity time as defined below. To calculate the cost of each activity we multiply the total activity duration for each developer by their individual hourly rates, sum it up and add licence costs where applicable.

	Junior	Mid	Senior
Hourly rate (fully burdened / loaded)	$46.20	$92.40	$139.20
Velocity (Time to remediate a single defect)	14 minutes	11 minutes	10 minutes
Number of working hours per day	8 hours

Sample Calculation

The sample calculation below is based on a number of assumptions that come from data points available to us around average application sizes and average number of defects discovered etc. From these base lines we are able to provide a view around the acceleration in time and the reduction in cost of using Green Rain.

Average Lines of Code (LOC) per application	300000
Average discovery/app	45 man days
Average % defects identified	1%
Senior Dev hourly rate (loaded)	$138.99
Mid Dev hourly rate (loaded)	$92.60
Junior Dev hourly rate (loaded)	$46.37
Complex tasks (senior dev)	10% of defects
Mid Level Tasks (mid dev)	30% of defects
Low Level Tasks	60% of defects

Manual Discovery Calculation

Discovery Effort	45 days
Discovery Resource (Senior Dev) /hr	$139.20
Total	$50,112.00

Automated Discovery Calculation

Discovery Effort	1 day
Discovery Resource (Senior Dev) /hr	$139.20
Full Application Analysis Licence	$20,000
Total	$21,113.60

Traditional Manual Remediation Calculation

LOC requiring remediation	3000
Minutes per LOC	10
Total hours of remediation activity	500
Discovery Resource (Senior Dev) /hr	$139.20
Total	$69,500

Automated Remediation Calculation

LOC requiring remediation	3000
Low Level LOC	1800
Mid Level LOC	900
Complex Level LOC	300
Low level hours of remediation activity	420
Mid level hours of remediation activity	165
Senior level hours of remediation activity	50
Total	$27,885.60

Brief overview of Green Rain's Process

Green Rain's process can be split into a number of engines, with increasing complexity. Initially the code is run through an engine called 'Alice' , where geographic investigation is completed. A complete map of your codebase is generated from all objects/files in the scope of your root directory, all of these files are created as nodes*. Core geographic relationships are also built at this stage. Finally Alice looks for resource relationships* between nodes. These nodes and relationships are then passed to the 'Alex' engine where lexical analysis is completed and abstraction of data occurs, all script files in scope are scanned and each token is individually inspected in isolation as well as in context to the rest of the codebase. Alex then adds to the nodes as well as building new relationships. Alex also completes scans for products* and vulnerabilities. Warnings* are raised based on severity of vulnerability. A third engine 'Phil' is then passed the updated nodes and relationships and uses common queries that target the tokens as well as compound token/token meta data to scan for further vulnerabilities and data connectivity.

Token

A token is the smallest part of your code that is available to interrogate, think of it as a single word, all tokens have abstracted metadata which is defined by Fedr8 and is used for filtering and querying token data.

Objects/Nodes

Everything we analyze is a 'Node'. Generally this refers to an analyzed script. Any object inside the core/root directory is created as a node inside Fedr8, nodes have a wide range of attributes that are used to select individual groups or types for processing.

Geographical Analysis

Occurs inside the 'Alice' engine, and is effectively an intelligent recursive directory scanner that captures all objects inside the root directory and performs intelligent classification as well as calculating the interconnectivity of scripts.

Lexical Analysis

The process of 'dis-assembling' nodes into tokens. Occurs inside the 'Alex' engine, and is an extremely low level engine designed for interrogating each individual token* and building complex metadata around that token.

Relationships

A relationship is the function by which two nodes are connected. Each node has a number of relationships that describe how it interacts with the rest of the script base, there are a range of relationship types that are used to help filter nodes for processing.

Fedr8’s Acceptable Use Policy for Green Rain Software-as-a-Service

Version 022017

This Acceptable Use Policy ("Policy") outlines unacceptable use of Fedr8 Software-as-a-Service (SaaS), which interact with, or access, the Internet (the "Services"). This Policy is in addition to any other terms and conditions under which Fedr8 provides the Services to you.

Fedr8 may make reasonable modifications to this Policy from time to time by posting a new version of this document on the Fedr8 website at the current URL. Revisions are effective immediately upon posting. Accordingly, we recommend that you visit the Fedr8 website regularly to ensure that your activities conform to the most recent version.

Questions about this Policy (e.g. whether any contemplated use is permitted) and reports of violations of this Policy should be directed to support@fedr8.com

The examples listed in this Policy are not exhaustive. Prohibited uses and activities include, without limitation, any use of the Services in a manner that, in Fedr8’s reasonable judgment, involves, facilitates, or attempts any of the following:

• violating any law of, or committing conduct that is tortuous or unlawful in, any applicable jurisdiction
• displaying, performing, sending, receiving or storing any content that is obscene, pornographic, lewd, lascivious, or excessively violent, regardless of whether the material or its dissemination is unlawful
• advocating or encouraging violence against any government, organization, group, individual or property, or providing instruction, information, or assistance in causing or carrying out such violence, regardless of whether such activity is unlawful
• accessing, sending, receiving, displaying, performing, disclosing, storing, or executing any content a) in violation of any copyright, right of publicity, patent, trademark, service mark, trade name, trade secret or other intellectual property right, b) in violation of any applicable agreement, or c) without authorization
• deleting or altering author attributions, copyright notices, or trademark notices, unless expressly permitted in writing by the owner
• obtaining unauthorized access to any system, network, service, or account
• interfering with service to any user, site, account, system, or network by use of any program, script, command, or otherwise
• introducing or activating any viruses, worms, harmful code and/or Trojan horses
• sending or posting unsolicited messages or e-mail, whether commercial or not, a) to any recipients who have requested that messages not be sent to them, or b) to a large number of recipients, including users, newsgroups, or bulletin boards, at one time
• evading spam filters, or sending or posting a message or e-mail with deceptive, absent, or forged header or sender identification information
• holding Fedr8 or its affiliates up to public scorn or ridicule and/or reselling Fedr8’s services, in whole or in part, to any entity or individual, without Fedr8’s prior written consent, or misrepresenting your relationship with Fedr8

© 2017 Fedr8 All rights reserved