Positive Technologies introduces a new version of the system for analyzing application code security PT—Application Inspector 4.0. Among the key changes are a web version of the product and support for Docker containers 1 and TypeScript.
A study by Positive Technologies on the evolution of Development, Security, and Operations (DevSecOps) shows that over a third (36%) of surveyed specialists from Russian companies 2 have already included security measures in the software development cycle and have established good practices. However, they stress that they lack information about hands-on implementation cases (35%), processes (22%), tools (20%), formal methods, and DevSecOps architecture (18%). Therefore, most of the improvements in PT Application Inspector 4.0 were aimed at making code security analysis clear and convenient—both for information security specialists and developers.
In addition to Windows, the new version of PT Application Inspector now supports Linux. Positive Technologies estimates that about 83 percent of developers worldwide prefer Linux; and Astra Linux, the official Debian distribution package, is among the most common operating systems in the Russian public sector 3. Thus, companies using Linux and organizations aiming to optimize IT costs can now use the product, since:
- Linux-based systems are open-source; they are mainly distributed free of charge as ready-made distribution packages, and are less demanding on resources.
- Working in Docker containers reduces costs on setting up, supporting, and maintaining PT Application Inspector 4.0 by automating some of these operations.
- There are no restrictions on the number of users or projects in the product—the Positive Technologies vulnerability scanner can be used simultaneously by distributed teams.
Scan results can be accessed in the web version of PT Application Inspector 4.0, which allows the entire team to work with the detected vulnerabilities without deploying additional software on the workstation.
PT Application Inspector combines key analysis methods with unique abstract interpretation technology, which ensures highly accurate results and minimum false positives. According to the Open Web Application Security Project (OWASP) benchmark, PT Application Inspector has an average code analysis score of 85 percent, showing 100 percent of true positives and 14.7 percent of false positives. These figures put PT Application Inspector significantly ahead of most code analyzers on the market. The product automatically creates harmless exploits for confirming vulnerabilities and thus proving the feasibility of their exploitation in a real attack.
Denis Korablev, Managing Director, Product Director, Positive Technologies, says: «Unprotected applications pose a real danger to business. According to Positive Technologies, in 2021, 100 percent of applications analyzed by our experts contained vulnerabilities that enabled cybercriminals to carry out attacks of various levels of complexity. PT Application Inspector 4.0 combines four technologies for code analysis: SAST 4, DAST 5, IAST 6, and SCA 7, enabling high quality analysis, as confirmed by OWASP Benchmark and multiple cases over the nine years since PT Application Inspector entered the market.»
The new product version supports the TypeScript language—one of the ten most popular programming languages in the world, which is used to create both client-side (frontend) and server-side (backend) parts of web applications. TypeScript is the second language, after JavaScript, that the product supports based on the Just Static Analyzer (JSA) vulnerability search module. The JSA module is versatile and flexible in terms of performance—it can be used for quick and thorough code analysis. Positive Technologies plans to transfer all supported languages to this module and switch to plugins for IDE 8 to enable application security analysis when coding.
In addition, PT Application Inspector 4.0 now supports single sign-on (SSO) technology 9. For SSO authorization, the product also supports the SAML 2.0 standard (Security Assertion Markup Language—an open authentication data exchange standard based on XML), allowing security domains to exchange authorization credentials, as well as OpenID—an open standard and decentralized authentication protocol. Also, full protocol support has been implemented (previously, SSO authorization was integrated only with Microsoft Active Directory).
- A platform for the development, delivery, and launch of containerized apps.
- Research 2 involved employees of Russian IT (69%), financial (17%), and industrial (7%) companies.
- In 2020, the system passed the mark of 1 million licenses.
- Static application security testing
- Dynamic application security testing
- Interactive application security testing
- Software composition analysis
- Visual Studio and PhpStorm are PHP languages in the IDE.
- Single sign-on (SSO) technology is an authentication method that allows users to securely log in to multiple applications and websites at once using a single set of credentials.
