Positive Technologies unveils PT BlackBox, Russia's first on-premise scanner for dynamic application analysis

After foreign vendors left the Russian market, domestic companies had to turn to open-source solutions for dynamic-analysis-based protection of applications.

Positive Technologies expands its application protection product line1 and enters the dynamic application security testing (DAST2) market. The company was the first in Russia to release an on-premise DAST scanner for finding vulnerabilities using the black box method. The key advantages of PT BlackBox are its incorporation into continuous integration and continuous delivery (CI/CD) processes, heuristic and signature-based vulnerability scanning3, and ease of use. The product can be installed in 30 minutes, integrated in an hour, and, after just 7 hours of scanning, start eliminating vulnerabilities.

According to a Positive Technologies study, there are, on average, 15 vulnerabilities per site, two of which are high-risk. Application vulnerabilities (specifically, bugs in the code or problems in the working environment of a deployed program) may lead to serious consequences: intruders can penetrate the company’s internal infrastructure, steal sensitive data, or carry out attacks on users of its services. Due to the departure of many foreign information security vendors from Russia, domestic companies can no longer protect applications using previously deployed foreign DAST products. The solution in this situation comes from a Russian information security vendor.

PT BlackBox detects vulnerabilities and bugs in the application’s environment during its execution (from the OWASP Top 10, plus the most trending vulnerabilities), such as RCE, SQLi, File Inclusion, and OS Commanding. Moreover, PT BlackBox scans twice as fast as DAST solutions available on the Russian market, which are mostly open-source.

For ease of use and reliability during deployment, PT BlackBox is integrated into the CI/CD pipeline: scanning can be performed in parallel with acceptance testing, as well as after application testing and installation. In addition, PT BlackBox can be used to manually scan applications online.

The advantage of using Positive Technologies’ dynamic analyzer for developers, testers, infosec and DevOps (development & operations) specialists is that the product acts as an additional checker: using the black box method, it not only detects configuration problems in the infrastructure, but determines which vulnerabilities, such as ones identified during static analysis, can actually be exploited in attacks. This allows to eliminate vulnerabilities at an early stage, as well as detect bugs and vulnerabilities that were not found by other methods.

"According to our test results, DAST solutions perform better in detecting vulnerabilities associated with flaws in the configuration of protection mechanisms, with identification and authentication errors, and with the use of outdated software versions (all those threats are in the OWASP Top 10)," says Oleg Khaladzhiev, Head of the PT BlackBox Quality Assurance Group. "These classes of vulnerabilities are detected by using the scanner with a deployed application. Many of these vulnerabilities are of medium or high severity due to the risk of unauthorized access to the application or the user’s personal account, and therefore need to be fixed immediately."

PT BlackBox will enable organizations of any size, including large enterprises, to increase the level of application security and build a more efficient and secure development process.

"The PT BlackBox scanner requires minimal server hardware resources and installation and scanning time," says Denis Korablev, Managing Director, Product Director, Positive Technologies, about the new product release. "PT BlackBox can be installed in 30 minutes, integrated in 1 hour, launched, and, after just 7 hours of scanning, the specialist can start eliminating vulnerabilities. We achieved such simplicity and speed of operation thanks to our 10-year track record of creating advanced solutions for application information security. For many years, too, as part of our other products, we have been continuously developing dynamic analysis technology, which we have now decided to spin off into the standalone solution PT BlackBox."

PT BlackBox is built on dynamic application analysis technology and features the expertise of our PT SWARM4(Security Weakness Advanced Research and Modeling) center and PT Expert Security Center specialists. Dynamic analysis technology is also used in other Positive Technologies products, increasing their performance. In particular, it is used in PT Application Inspector to confirm vulnerabilities found in source code. Although PT Application Inspector retains the DAST core, in terms of building corporate DevSecOps processes, it is PT BlackBox combined with PT Application Inspector that delivers maximum vulnerability detection. The DAST core is likewise applied in PT Application Firewall for scanning the server side of applications, and in the vulnerability and compliance management system MaxPatrol 8 for searching for web vulnerabilities inside the perimeter.

  1. Positive Technologies’ application protection solutions also include the code security analyzer PT Application Inspector and the application-layer firewall PT Application Firewall.
  2. DAST provides dynamic application analysis without access to the source code and runtime environment (the black box method).
  3. In signature-based vulnerability scanning, the scanner checks files by matching their file signatures against a dictionary, while heuristic scanning uses known characteristics (heuristics).
  4. PT SWARM is a group of Positive Technologies experts who research system and device security.