RIPS 3.1: TeamCity, LDAP and JSP Support8 Apr 2019 by Hendrik Buchwald
We are happy to announce the next release of our static application security testing solution. RIPS 3.1 adds useful features to the user interface, enables more integration options, and significantly improves the code analysis.
Compliance to industry standards is a major topic in today’s product development strategies. We revised our compliance tab that now provides an efficient overview of all violations against industry standard requirements that were found during RIPS code analysis. Developers can take immediate actions and prioritize the most critical compliance violations first. RIPS supports the most popular standards and different versions, including PCI DSS, OWASP Top 10, SANS Top 25 and OWASP ASVS. In RIPS 3.1 we added support for the only recently released ASVS 4.0.1 standard.
We released a new native TeamCity plugin that seamlessly integrates RIPS security analysis into your TeamCity Continuous Integration (CI) process. Similar to many of our available CI integrations, the plugin allows to automatically execute RIPS scans as a build test. Based on the scan results and your configuration the plugin then acts as a security gate that prevents that vulnerable code with new security issues is reaching production.
With more and more integration options for RIPS you can easily lose track which of your applications have been integrated into what CI/CD tools, IDEs or issue tracker. Our new integration overview helps to manage your active connections and lists all applications that are secured in an automated fashion. It also helps to find available integrations that match to your specific SDLC.
In RIPS you can create and manage multiple user accounts with fine-grained access privileges to scan results. Many companies use the Lightweight Directory Access Protocol (LDAP), an open industry standard, as their distributed directory service for storing user credentials. RIPS 3.1 introduces LDAP support for on-premises installations which allows you to now use your existing directory services to create and authenticate users. Different encryption types, protocol versions, and query settings are supported.
JSP Security Analysis
With RIPS 3.0 we released our new Java engine that is available for SaaS and on-premises customers. Our Java engine is constantly updated with new detection features and improvements. One of the main improvements in RIPS 3.1 is the support for analyzing JSP files. JavaServer Pages (JSP) is a programming language to dynamically generate HTML and XML output for Java-based web applications. The new support is particularly important to detect Cross-Site Scripting vulnerabilities, though any other type of vulnerability can be hidden inside JSP code and is now detected by RIPS.
Besides our new visual features, many significant improvements were made behind the scenes. We tuned the overall performance, remediated bugs, and innovated our analysis engines with the following improvements, among others:
- Improved CakePHP support
- Improved Symfony support
- Silex framework support
- Apache Wicket support
- Lombok annotation support
- Support for detecting 16 new CVE issues (PHP)
- Support for detecting CSV file write issues
- Support for 27 new code quality types (Java)
- Support for code annotations to fine-tune PHP analysis
- Improved library and framework hinting
- Improved PDF reports
Next to the new features described in this post there are much more improvements to discover. Visit the product tour on our new website to find out more. If you would like to run a test scan with RIPS you can request a free trial.