You can't secure what you don't acknowledge.SM

Tuesday, December 19, 2017

Solared Cyber Security's APPscreener - a static application security testing tool worth checking out

A large part of the vulnerability and penetration testing work I do focuses on application security - both web and mobile. A growing portion of my testing in this area is source code analysis and looking at software flaws where they begin. I'm always looking for good tools to use and I recently came across one that you might want to check out called APPscreener. It's a cloud-based (or on-premise) static application security testing (SAST) tool that can look at both raw source code and, in the event you don't have access to the source, binaries for both traditional web applications and mobile apps. 

APPscreener has the best user interface I've seen in this type of tool. Once you get the on-premise version installed - or you simply get logged into the cloud version - it's literally point and click. I like this approach because not everyone with a need to perform a static analysis is super technical. These people, therefore, won't get bogged down with installation and configuration minutiae that's common in other SAST tools I've used (especially the open source ones). APPscreener's interface can be see here:

Reporting includes options for OWASP Top 10 (2017 support is said to be coming soon), PCI DSS, and more as shown here:

APPscreener's broad list of supported languages/platforms for static analysis is as follows:
  • ABAP 
  • C, C++, and C#
  • HTML5
  • Java and Java for Android
  • JavaScript
  • Objective C
  • PHP
  • PL/SQL
  • Python
  • Ruby
  • Scala
  • Solidity
  • T/SQL
  • VB 6.0
APPscreener can perform binary analysis on various filetypes as well:
  • Android
  • dll
  • exe
  • iOS
  • jar
  • war
One really neat thing about APPscreener is that you can point it directly apps in Google Play and Apple App Store as shown as follows:

This is a nice feature for enterprises that have standardized on a specific set of business apps and need to formally roll them into their security program by vetting them for security flaws. An especially important feature when you don't have access to the source code.

I'm always looking to improve my application security testing approaches and tools such as APPscreener make a big difference in not only the time and effort involved in this work but also in the quality of the findings I'm attempting to uncover. Check it out if you're in the market for a SAST tool. Based on what I'm seeing, you'll quite likely find many application security flaws you didn't know you had...and those are the best kind since you can't fix what you don't know about!