PT Application Inspector 4.0 available in web version

Positive Technologies introduces a new version of the PT Application Code Security Analysis System—Application Inspector 4.0. Key changes include a web-based version of the product and support for Docker containers 1 and TypeScript.

A study by Positive Technologies on the evolution of development, security and operations (DevSecOps) shows that more than a third (36%) of specialists surveyed from Russian companies 2 have already included security measures in the software development cycle and have established best practices. However, they point out that they lack information on practical implementation cases (35%), processes (22%), tools (20%), formal methods and DevSecOps architecture (18%) . Therefore, most of the improvements in PT Application Inspector 4.0 were aimed at making code security analysis clear and convenient for both information security specialists and developers.

In addition to Windows, the new version of PT Application Inspector now supports Linux. Positive Technologies estimates that approximately 83% of developers worldwide prefer Linux; and Astra Linux, the official Debian distribution packageis among the most widespread operating systems in the Russian public sector 3. Thus, companies using Linux and organizations aiming to optimize IT costs can now use the product, since:

  • Linux-based systems are open-source; they are mostly distributed for free as ready-to-use distribution packages and are less resource-intensive.
  • Working in Docker containers reduces the cost of setting up, supporting, and maintaining PT Application Inspector 4.0 by automating some of these operations.
  • There are no restrictions on the number of users or projects in the product – the Positive Technologies Vulnerability Scanner can be used by distributed teams simultaneously.

Scan results are accessible in the web-based version of PT Application Inspector 4.0, allowing the entire team to work with detected vulnerabilities without deploying additional software on the workstation.

PT Application Inspector 4.0 web interface

PT Application Inspector combines key analysis methods with unique abstract interpretation technology, which ensures highly accurate results and minimal false positives. According to the Open Web Application Security Project (OWASP) benchmark, PT Application Inspector has an average code analysis score of 85%, showing 100% true positives and 14.7% false positives. These numbers place PT Application Inspector well ahead of most code analyzers on the market. The product automatically creates harmless exploits to confirm vulnerabilities and thus prove the feasibility of exploiting them in a real attack.

PT Application Inspector scan quality assessment results based on OWASP Benchmark public code scan

Denis Korablev, Managing Director, Product Manager, Positive Technologies, says: “Unprotected apps are a real danger to businesses. According to Positive Technologies, in 2021, 100% of applications analyzed by our experts contained vulnerabilities allowing cybercriminals to carry out attacks of various levels of complexity. PT Application Inspector 4.0 combines four technologies for code analysis: SAST 4DAST 5IAST 6and SCA 7enabling high quality analysis, as confirmed by OWASP Benchmark and multiple cases in the nine years since PT Application Inspector entered the market.”

The new version of the product supports the TypeScript language—one of ten the most popular programming languages ​​in the world, which are used to create client-side (frontend) and server-side (backend) parts of web applications. TypeScript is the second language, after JavaScript, that the product supports based on the Just Static Analyzer (JSA) vulnerability research module. The JSA module is versatile and flexible in terms of performance. It can be used for quick and in-depth code analysis. Positive Technologies plans to transfer all supported languages ​​to this module and move to plugins for IDE 8 to enable application security scanning while coding.

Additionally, PT Application Inspector 4.0 now supports single sign-on (SSO) technology 9. For SSO authorization, the product also supports SAML 2.0 (Security Assertion Markup Language, an open standard for exchanging XML-based authentication data), allowing security domains to exchange user credentials. authorization, as well as OpenID, an open standard and decentralized authentication protocol. Additionally, full protocol support has been implemented (previously, SSO authorization was integrated only with Microsoft Active Directory).

  1. A platform for the development, delivery and launch of containerized applications.
  2. Research 2 involved employees of Russian IT (69%), financial (17%) and industrial (7%) companies.
  3. In 2020, the system passed the milestone of one million licenses.
  4. Static Application Security Testing
  5. Dynamic Application Security Testing
  6. Interactive Application Security Testing
  7. Analysis of software composition
  8. Visual Studio and PhpStorm are PHP languages ​​in the IDE.
  9. Single sign-on (SSO) technology is an authentication method that allows users to securely log in to multiple applications and websites at once using a single set of credentials.

Source link

Comments are closed.