Application Inspector — PRODUCT BRIEF
Simplify Compliance and Control Security
HIGHLIGHTS
• Achieve a high-level of assurance through our innovative use of SAST, DAST and IAST
with automatically generated vulnerability exploits
vulnerabilities and not code errors
• Standardize security across multiple languages and platforms including web, mobile and ERP
• Improve security by integrating with
• WAF and IPS
Today, most organizations rely on network and web-based applications for everything from business process management to cloud-based filesharing and storage services. Likewise, mobile applications are lurkingjust around the corner, poised to change the enterprise landscape, yet again. However, in a rush for higher profits, most companies haveoverlooked the underlying danger that these types of applicationspose. According to Verizon’s 2013 Data Breach Report, almost one inthree cyber-crime and cyber-espionage attacks were initiated usingapplication vulnerabilities as attack vectors. Additionally, the scientists atPositive Research recently found that 50% of online banking applicationscan be exploited to gain unauthorized access to corporate networks anddata and to make fraudulent transactions.
More than a decade of research and practical knowledge from auditing over1,000 unique applications has gone into Application Inspector — a single, user-friendly solution which allows you to quickly �nd and �ll security holes within your applications.
Resolving vulnerabilities swiftly and e�ciently is critical — you can’t a�ord tospend time chasing false alarms. Application Inspector’s intelligent scanning engine �nds true vulnerabilities while ignoring sourse code programming errors — drastically reducing the number of potential false positives.
In contrast to other source code analysis products, Application Inspector is able to examine software that is written in multiple languages; for example an ASP.NET web application with an HTML 5.0 and JavaScript frontend that uses SQL databases.
By automating the entire process, Application Inspector eliminates the di�culties with application security assurance — slashing your compliance costs and putting you in control of your enterprise security posture.
Know Your Risks - Instantly
Not a security expert? Don’t worry. Our automation quickly shows you how vulnerabilities in your code can be exploited — saving you from having to trace the logic on your own. When Application Inspector detects a vulnerability, it automatically generates an exploit vector such as an HTTP or JSON request; demonstrating the weakness and how it could be used to attack your business.
Discovering vulnerabilities early in the development process will obviously help to ensure a higher-level of security, so we’ve designed Application Inspector to integrate
Application Inspector — PRODUCT BRIEF
Achieve a High-Level of Assurance
Most legacy source code analysis products use either Dynamic Application Security Testing (DAST) - which assesses the security of applications while they are running – or Static Application Security Testing (SAST) – which, by contrast, looks at application source code. More recently, Interactive Application Security Testing (IAST) has appeared, as some vendors attempt to combine DAST and
of DAST, SAST and IAST at appropriate stages of analysis – delivering the
abstract interpretation, Application Inspector provides code and API coverage and faultsafe assessment similar to SAST tools. Its built-in multi-language tracing engine provides IAST-type analysis for complex cases and the unique exploit generator yields results that are easy to understand.
About Positive Technologies.Positive Technologies is at the cutting edge of IT Security. We are one of the top ten worldwide vendors of Vulnerability Assessment systems
detecting and managing vulnerabilities in IT systems. Positive Technologies puts research at the heart of our operations, to ensure our products
Unify Security Under A Single Solution
Security is only as good as the weakest link; that’s why Application Inspector allows you to secure a broad range of applications including:
• Network and Web Applications —languages such as .NET, Java and PHP
• Mobile Applications — Android and Windows Phone 8
• ERP Systems —l anguages such as ABAP/Java/ PL/SQL for SAP and Oracle EBS
Additional Features
• Advanced pattern detection analysis discovers recurring vulnerabilities/backdoors with similar business logic and syntax
• Detects well-disguised vulnerabilities by monitoring for their symptoms
• Works with many technologies including: Java (Java SE, Java for Android, JavaEE, Java Frameworks), .NET (MSIL), SQL (SQL 92, PL/SQL, T-SQL), PHP, Web Technologies (HTML 5, JavaScript, VBScript, JSON/XML-RPC), XML (Generic, XSLT, Xpath, Xquery) and
• Detects a wide variety of attacks and vulnerabilities including: SQL injection, Cross site scripting, Object injection, HTTP response splitting, XPath injection, LDAP injection, Expression Language Injections
• Can be installed on a single machine or network server. Also available as a SaaS solution
• Integrates seamlessly with Positive Technologies MaxPatrol and Application Firewall products
Application Inspector in action
L
Vul
A
=
anguage Database
nerabilities Database
pplication Source Code Static Analyser Dynamic Slice
Dynamic Analyser
Exploit Generator ReportsPositive Research
Vulnerabilities
Vulnerabilities
Highlight Code
www.
Exploits
[email protected] / www.ptsecurity.com / www.maxpatrol.com