Source: https://cobaltstrike.net/2022/04/07/pt-application-inspector-4-0-is-available-in-the-web-version/
Positive Technologies has introduced a new version of the application code security analysis system — PT Application Inspector 4.0 . Among the key changes are the appearance of a web version of the product, work in Docker containers and support for the TypeScript language.
A Positive Technologies study on the development of DevSecOps (Development Security Operations) showed that more than a third (36%) of the surveyed specialists of Russian organizations have already included security measures in the software development cycle and have developed some practice. At the same time, experts stressed that they lack information about practical implementation cases (35%), processes (22%), tools (20%), formal methods and DevSecOps architecture (18%). Therefore, most of the improvements in PT Application Inspector 4.0 were aimed at making the work on code security analysis understandable and convenient — both for information security specialists and developers.
The new version of PT Application Inspector, in addition to the existing Windows OS support, includes work with Linux OS. According to Positive Technologies experts, about 83% of developers in the world prefer to use the Linux OS for work, and in the Russian market Astra Linux — the official Debian distribution — is among the most common operating systems in the public sector. Thus, companies using Linux and organizations interested in optimizing IT costs can now work with the product, since:
- Linux-based systems have open source code, are distributed mostly free of charge in the form of ready-made distributions and are less demanding of resources;
- working in Docker containers reduces the labor costs of setting up, maintaining and maintaining PT Application Inspector 4.0 by automating some of these operations;
- there are no restrictions on the number of users or projects in the product — the vulnerability scanner from Positive Technologies can be used simultaneously by members of distributed teams.
In PT Application Inspector 4.0, access to the scan results is possible in the web version, which allows the entire team to work with the vulnerabilities found without deploying additional software on the workstation.
PT Application Inspector 4.0 Web Interface
PT Application Inspector combines key analysis methods with a unique technology of abstract interpretation, which ensures high accuracy of results and a minimum number of false positives. Thus, according to the benchmark of the international community Open Web Application Security Project (OWASP — open web application security project), PT Application Inspector has an average code analysis score of 85% – shows 100% true positive and 14.7% — false positive; according to this indicator, PT Application Inspector is significantly ahead of most analyzers on the market the code. The product automatically creates harmless exploits, thanks to which it is possible to confirm the vulnerability and prove the possibility of its exploitation in a real attack.
The results of the PT Application Inspector analysis quality assessment made on the basis of scanning the OWASP Benchmark public code
“Unprotected applications pose a real danger to business. According to a Positive Technologies study, in 2021, 100% of the applications analyzed by our experts revealed vulnerabilities that enabled attackers to carry out attacks on customers of various levels of complexity, — tells Denis Korablev, Managing Director, Product Director of Positive Technologies. — PT Application Inspector 4.0 combines four code analysis technologies: SAST, DAST, IAST and SCA, and due to this provides high quality analysis, which is confirmed by the OWASP benchmark and successful cases over the nine years of PT Application Inspector’s existence.”
The new version of the product adds support for the TypeScript language — it is one of the ten most popular programming languages in the world and is used to create both client (frontend) and server (backend) parts of web applications. TypeScript has become the second language, after JavaScript, that the product supports based on the JSA vulnerability search module (Just Static Analyzer technology for static analysis). The JSA module is versatile and flexible in terms of performance – it can be used for quick and thorough code analysis. Positive Technologies plans to translate all supported languages to this module and switch to IDE plugins that allow you to analyze application security right in the process of writing code.
Also in PT Application Inspector 4.0 , support for single sign – on technology has appeared . For SSO (single sign-on, single sign-on technology) authorization, support for the SAML 2.0 standard (Security Assertion Markup Language, an open authentication data exchange standard based on XML), allowing security domains to exchange authorization credentials, and the open standard of the OpenID decentralized authentication system, has been added to the product. In addition, full protocol support has been implemented (previously, SSO authorization was integrated only with Microsoft Active Directory).