Java Application Security Testing

At RIPS we take a unique approach for static code analysis of modern web applications. Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs in modern applications can only be accurately detected with language-specific analysis engines that simulate all the language’s subtlenesses, libraries, and pitfalls. After all, these nifty details account for today’s security vulnerabilities.

Hence, we did not simply add a Java parser to our leading PHP engine which lately uncovered exploitable security issues in WordPress, Magento and phpBB3. We built a completely new code analysis engine that adopts our awarded static analysis algorithms to the Java programming language, paired with Java-specific innovations. Our Java engine is able to parse all kind of Java code, up to the latest Java version 11, and to realize automated security analysis of millions of code lines within only minutes. Although still being in an early stage, it already checks for over 60 security vulnerability types, 20 code quality issues with security relevance, and has detected multiple previously unknown security vulnerabilities in popular CMS software. We will disclose the details of these vulnerabilities as soon as they are patched by the affected vendors. Of course the separation of our different analysis engines is invisible to the user and all of our integrations, user interface, and REST API can also be used for Java.

SQL Injection

New Manager Dashboard

The most visual improvement in RIPS 3.0 is our new manager dashboard that appears directly after login. We grouped the latest scan statistics for each application into application cards that enable you to easily see which of your applications is improving or worsening lately in terms of exploitable security, code quality or misconfiguration issues. For this purpose a high-level score from 1 (good) to 5 (bad) was added. You can also track which of your application’s scans are connected to our plenty integration options, e.g. a CI/CD tool, IDE, or bug tracker.

Application Card

Improved Code Summary

We constantly improve our code summary that is displayed for each detected security issue and that groups only the affected code lines for a particular issue. In order to improve the efficient review of our code summary, we added highlighting for the exact taint positions in markup. This helps, for example, when reviewing a SQL injection issue in a dynamic SQL query that has multiple variables. The vulnerable variable is easily spotted with our red highlights.

Taint Position Highlights

Advanced Patch Guide

Next to our issue description and references that help to understand the root cause and consequences of each vulnerability, we advanced our patch guide for an easy problem resolution. We extended our instructions that are different for each vulnerability context and added actionable code samples to support quick drafting of patch code.

Security Patch Guide

Maven and Gradle Integration

With our new support for Java code analysis we also added integration support for the two most popular build management tools: Apache Maven and Gradle. You can easily add RIPS security testing as a task to your build process and define your maximum thresholds for new security vulnerabilities. Whenever these thresholds are violated your build will fail and new security bugs are automatically blocked to protect your build.

Gradle Security Integration

IntelliJ IDEA Integration

If you are using IntelliJ IDEA as your developer editor you can also integrate RIPS in-depth Java security analysis directly into your IDE. Our IntelliJ plugin enables to start new code analysis of your current working copy and to receive security feedback in real-time. All detected security issues are listed in the IDE and you can jump directly into the vulnerable code lines to efficiently address each issue with our patch instructions.

IntelliJ IDEA Security Plugin

Revised Analysis Profiles

RIPS works very well out of the box for any kind of code and there is no need for application specific configurations. Hence RIPS is very easy to use for beginners. To get the most out of static analysis, advanced users can fine-tune analysis parameters with the help of our analysis profiles. We revised the configuration masks and added dynamic code examples that will automatically adjust to your inputs. With these, your advanced configurations and their effects will become more intuitive.

Sink Configuration Sink List

And more

Next to the new features described in this post there are much more improvements to discover. Visit the product tour on our new website to find out more. If you would like to run a test scan with RIPS you can request a free trial. Last but not least we would like to thank all RIPS users for their valuable feedback and feature requests in the past year that helped us taking RIPS to the next level. Have a great and safe start into the new year!