Comparison of Application Security Testing Approaches

31 Jul 2018 by Dr. Johannes Dahse

Zend Server Integration

Web applications can be tested manually or automated, as a blackbox or a whitebox, with static or dynamic analysis. In this post we compare the advantages and disadvantages of a variety of approaches and solutions.

Read More ...

Scan, Verify and Patch in Minutes: TikiWiki 17.1 SQLi

19 Jul 2018 by Karim El Ouerghemmi
Tikiwiki SQLi

TikiWiki is an open source software that offers a wiki-style based content management system. It has more than 1.25 million downloads and a large code base of around 1.7 million lines of code. In this blog post, we demonstrate step by step how we used our leading RIPS Code Analysis solution to detect and verify a SQL injection vulnerability in minutes.

Read More ...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

29 Nov 2017 by Dr. Johannes Dahse
WordPress Plugin Vulnerabilities

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself, making them an attractive target for attackers. Security vulnerabilities are actively exploited in order to compromise large amounts of installations that use vulnerable plugins. Can static code analysis detect these vulnerabilities out of the box? In this technical blog post we analyze the most critical plugin vulnerabilities in 2017 and share some insights about the requirements of a static code analyzer needed for detection.

Read More ...

Introducing the RIPS analysis engine

4 Dec 2016 by Johannes Dahse

RIPS

In today’s post, we would like to share some insights into our static code analysis engine RIPS that detected the security bugs described in the previous and upcoming calendar gifts. The engine has a long history and went through several generations before reaching its current performance. What does it actually do within the few seconds after you click on the scan button and the first vulnerability report pops up? How can a security vulnerability be automatically detected in source code? Let’s have a look.

Read More ...