Comparison of Application Security Testing Approaches

31 Jul 2018 by Dr. Johannes Dahse

Zend Server Integration

Web applications can be tested manually or automated, as a blackbox or a whitebox, with static or dynamic analysis. In this post we compare the advantages and disadvantages of a variety of approaches and solutions.

Read More ...

Scan, Verify and Patch in Minutes: TikiWiki 17.1 SQLi

19 Jul 2018 by Karim El Ouerghemmi
Tikiwiki SQLi

TikiWiki is an open source software that offers a wiki-style based content management system. It has more than 1.25 million downloads and a large code base of around 1.7 million lines of code. In this blog post, we demonstrate step by step how we used our leading RIPS Code Analysis solution to detect and verify a SQL injection vulnerability in minutes.

Read More ...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

29 Nov 2017 by Dr. Johannes Dahse
WordPress Plugin Vulnerabilities

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself, making them an attractive target for attackers. Security vulnerabilities are actively exploited in order to compromise large amounts of installations that use vulnerable plugins. Can static code analysis detect these vulnerabilities out of the box? In this technical blog post we analyze the most critical plugin vulnerabilities in 2017 and share some insights about the requirements of a static code analyzer needed for detection.

Read More ...

Rescanning Applications with RIPS

11 Dec 2016 by Daniel Peeren

Rescans

After an automated security analysis of an application with RIPS, the application can be rescanned again. Within another round of security analysis, implemented patches can be verified or the analysis settings of the previous scan can be refined. In todays calendar post, we are introducing some of the rescanning and reviewing features of RIPS based on an example and see how rescanning works and what benefits it brings.

Read More ...

Non-Exploitable Security Issues

10 Dec 2016 by Hendrik Buchwald

In our previous calendar posts, we covered specific security issues in popular open-source applications that were detected by our code analysis solution RIPS. Most of the released issues lead to remote command execution, the most critical security vulnerability in PHP applications. But are all findings always exploitable? For more diversity of our calendar, we would like to introduce a few interesting examples today that turned out to be not exploitable and how RIPS handles these scenarios.

Read More ...