What's new in RIPS 2.0.0?18 Apr 2017 by Martin Bednorz
We are happy to announce the next iteration of our static analysis software for PHP! The new release RIPS 2.0.0 includes the following major changes:
- A complete new interface with optimized performance (demo.ripstech.com)
- A new extensive REST API for full feature automation (api.ripstech.com)
- Team and user privilege management
- Application-specific analysis profiles
- More detailed code summaries and issue descriptions
- Issue categorization for PCI DSS compliance requirements
- Improved analysis precision and performance
- Detection of Cookie Misconfiguration issues (CWE-613, CWE-614, CWE-1004)
- Detection of Insufficient Certificate Validation issues (CWE-295, CWE-297)
Find out more about the top 5 new features in this blog post.
New Scanning Process
The automated security analyses with RIPS 2.0.0 are split into applications and scans. An application is considered to be a single deployment unit such as, for example, a website, a webshop, or the company intranet application. A scan represents a single analysis of one of these applications.
When scanning a new version of your application, you can select a specific previous scan as the parent. RIPS will then compare the analysis results of those two versions and provides detailed information about new, fixed, or remaining vulnerabilities.
In order to further simplify the re-scanning process, we offer our SaaS users to store previously uploaded archives (opt-in). This way, these can be re-selected when starting a new analysis, skipping the uploading process altogether. This is especially useful when you would like to try multiple analysis settings on the same source code version.
Another addition to the scanning process are running scans indications. The sidebar displays a loading icon for both applications and scans. As an overview, we also display all currently running scans on the top of the interface. These features help to easily track the current state of concurrently running analyses.
Application-specific Analysis Profiles
With RIPS 2.0.0 it is finally possible to create multiple analysis profiles that are either bound to one application or can be used on a global scale throughout your organisation. This allows to create individual profiles for each application and to try out new analysis settings without affecting other users.
More detailed Issue Descriptions
We improved the technical code summary of detected security issues significantly. RIPS is now able to pinpoint and highlight the source of user input, the last markup concatenation, and the vulnerable sink. Further, we improved and extended the technical description for each issue.
Improved Vulnerability Management
Flagging detected security issues now becomes much more fluent and efficient. A new review button simplifies the process of reviewing an issue and the new review status is directly reflected in the issue list for a much clearer overall view. As a side note, the issue list now comes with practical filters for a faster review process.
Overall, we improved the issue navigation tremendously. Selecting an issue does not trigger a new page load anymore and, instead, only loads the selected item. This results in the preservation of the current tab selection throughout stored bookmarks, shared results with co-workers, or stored links inside software development tools like JIRA, YouTrack, or GitHub.
Furthermore, we added the popular issue breakdown from our PDF reports into the interface. It provides an important outline of all issue types found, number of occurrences, and their classification according to industry standards (CWE, OWASP Top 10, SANS 25, and *new* PCI DSS). Find out more about the supported vulnerability types and standards on our website.
Fine-grained Access Control Management
Managing the user access is essential for most organisations - especially in the context of the sensitive analysis data provided by RIPS. Our new release introduces an extensive access control management based on application entities. It enables manager users to create teams and users with dedicated access control and fine-grained rights distribution for each application and its analysis results.
The new release significantly improves the overall interface performance and usability, specifically for the usage in large teams. Next to the new features described in this post there are much more improvements to discover. Visit our demo application to try out our new interface yourself and leave some feedback so we can further improve it. Finally, we would like to thank all RIPS users for their valuable feedback and feature requests.