Application security checks are now possible even without the source code. Solared Cyber Security presents SolaredAPPscreener.

28.10.2015

Solared Cyber Security Company  which is a developer of products and services for targeted monitoring and operational management of information security represents a new domestic security testing tool SolaredAPPscreener, which combines static code analysis technologies and scientific approaches to reverse engineering.

SolaredAPPscreener is a static code analysis tool designed to identify vulnerabilities and undeclared capabilities in software. Analysis of applications is carried out by means of the "white box" method even in the absence of the source code, which is the main distinguishing feature of the product. Operation requires loading of working application files into the scanner or simple copying of a corresponding link from Apple Store or Google Play into the scanner in case of a mobile operating system.

Deobfuscation and decompilation technologies implemented in SolaredAPPscreener allow restoration of the source code with a high degree of accuracy, even if obfuscating (confusing) conversions are applied. Four different technologies are implemented in order to improve the quality of code analysis, including the taint-analysis. The process module Fuzzy Logic Engine with author's algorithms is intended to filter vulnerabilities, serving to reduce the number of false activations. 

"We can say that SolaredAPPscreener is a product in which the scientific thought has found its worthy technical implementation. The development team includes three candidates of sciences, two of whom defended their dissertations in the field of code decompiling, in such a way product technologies provide a fundamentally new level of application both in terms of suitability and in terms of efficiency of applications security assessment", – says Daniil Chernov, head of the SolaredAPPscreener direction in Solared Cyber Security Company. SolaredAPPscreener was created as a tool for security professionals; hence special attention was paid to the reporting system. 

The main difference is connected with the fact that it provides detailed guidance on setting up of applied security elements (SIEM, WAF, NGFW), blocking any possibility to operate vulnerabilities up to their elimination. Reports intended for developers are provided with a description of identified vulnerabilities containing links to relevant sections of the code and recommendations serving to address them by making changes to such code, which greatly simplifies development tasks.

Currently SolaredAPPscreener allows analysis of online and mobile applications, written in the most popular languages: Java, Scala, PHP, Objective C, Java for Android. There are also plans for product expansion, related to the following analyzed languages: JavaScript, PL/SQL, 1C and C#. 

"Risks connected with application of code vulnerabilities have increased significantly recently, – says Igor Lyapunov, general director of Solared Cyber Security Company, – according to our data, which contain JSOC reports, over 60% of successful cyber attacks are aimed at foreign business applications and they were implemented through vulnerabilities in software. The application security is a fairly new topic, but many security professionals know that the quality of a code also directly depends on information security, money, and sometimes – on entire companies. "Despite the fact that the product has not been officially presented to the market, its users include JSCB Baltika, Bank Obrazovanie, Yandex Money and M Soft".