PT Application Inspector (PT AI)

Main article: Firewall

2024: PT Application Inspector version 4.7 with module modules for C#, C, C++ and Objective-C languages

Positive Technologies released PT Application Inspector version 4.7. The company announced this on April 9, 2024. The main thing in the release is modules for languages C#, C, C++ ​ ​ and Objective-C with support for working in. Linux Now all languages ​ ​ available in the product work in both in and Windows in. Linux This innovation will allow domestic companies to completely abandon Windows in accordance with the recommendations, Ministry of Digital Development of the Russian Federation as well as switch to -. Dockercontainers Languages ​ ​ and, Go in Java turn, received updated components as part of the JSA.

In addition to PT modules, Application Inspector 4.7 supports Ruby. Thus, the product continues to increase the base of programming languages.

Also, the product has the ability to scan several languages ​ ​ within the same project. Positive Technologies estimates that nine out of ten web applications are written in multiple programming languages. The improvement allows faster analysis results, eliminating the need for users to perform separate scans for the frontend and backend. It also eliminates duplication of projects and makes working with the product even more convenient.

PT Application Inspector is based on a versatile and productive JSA module of our own design, which we are continuously developing, "said Anton Volodchenko, Product Manager of PT Application Inspector at Positive Technologies. - Architecturally, JSA is built in such a way that there is one common component for all languages ​ ​ that implements analysis algorithms, and there are separate modules to support a specific language with its own specifics. Due to this, we can add support for new languages ​ ​ and technologies much faster while maintaining a high level of analysis quality,

A useful update for companies that simultaneously use scanning agents for both Windows and Linux: tasks from the scan queue are automatically distributed based on the operating system of the agent that supports the analysis of the requested language.

2023: PT Application Inspector 4.5 with added Web IDE

Positive Technologies On September 11, 2023, it introduced an updated version of securities code applications the PT Application Inspector analysis system - 4.5. The key changes since the launch of the fourth version of the product have been integration with development environments, the addition of a Web IDE scanning and agent for, the OS Linux ability to switch the interface to a dark theme and an updated editor for search rules by templates.

According to data to a study by the Center for Strategic Research, market solutions for safety applications (application security) are growing by about 20% per year, and according to Positive Technologies experts, its growth dynamics is even higher. First of all, this is due to a change in the cyber climate and an increase in the number: the cyber attacks number of incidents in 2022 increased by 20.8% compared to 2021, in particular, the growth in attacks web applications reached 56%. Due to the departure of Western players domestic market the Russian from the company, they focused their efforts on internal development and, as a result, their interest in safe creation methods increased. To ON greatly facilitate the work of all user groups that implement secure development processes (), DevSecOps including developers, specialists information security and engineers DevOps, Positive Technologies has released an updated version of its PT Application Inspector 4.5 product, significantly expanding its functionality. This version of PT Application Inspector now has the ability to integrate with Visual Studio Code and IntelliJ IDEA development environments.

In 2022, we released free plugins to make software development safer. Now these plugins exchange data with PT Application Inspector - this allows all participants to immediately see the results of the work of the entire team to analyze the found vulnerabilities in the IDE. The analysis modules built into the plugins detect source code vulnerabilities, dangerous third-party libraries and configuration file errors, noted Anton Volodchenko, PT Application Inspector Product Manager at Positive Technologies.

The code in PT Application Inspector 4.5 can now be viewed in the Web IDE. The module does not require the installation of additional software and at the same time allows users to get all the features of working with code in the IDE.

Also, PT Application Inspector has a scanning agent for Linux operating systems. This allows all product components to be deployed on Linux computers. This is important for state-owned companies, which, at the request of the Decree of the President of the Russian Federation dated 30.03.2022 No. 166  by January 1, 2025, should switch to the use of Russian operating systems.

PT Application Inspector 4.5 has the ability to connect a user database running PostgreSQL DBMS to store project parameters and scans. This is relevant for large companies that already have a ready-made infrastructure with PostgreSQL databases. 

Also in this version of the product, work with - was improved. Dockercontainers Now for their functioning, resource restrictions are set - algorithm the calculation of limits for services is based on the total amount of memory occupied, taking into account weight factors, which allows solving the problem of uneven distribution of resources between services and the risk of lack of resources for work. To make users' requests to Positive Technologies support more convenient and easier, the diagtool utility was added to the product version, which allows you to collect data about the operating environment and PT Application Inspector services in an encrypted archive for subsequent sending to support.

Another PT Application Inspector update is the ability to create vulnerability search rules by templates. Own rules help expand the knowledge base, find other and user-relevant types of vulnerabilities.  According to a survey of key Positive Technologies customers, more than half of them regularly use the dark IDE theme. Now this type of interface design has become available in PT Application Inspector 4.5, and a scan information panel has also appeared in the product, which will make users more comfortable. The versioning of configuration files and APIs simplifies the integration of PT Application Inspector, reduces implementation costs, and eliminates the risk of long-term downtime if the format of product interaction with external systems is updated.

2022: PT Application Inspector 4.0 - Web Version Availability

On April 7, 2022, the company Positive Technologies introduced the next version securities code of the application analysis system - PT Application Inspector 4.0. Key changes include the emergence of a web version of the product, work in - and Dockercontainers support for the TypeScript language.

A Positive Technologies development study DevSecOps () Development Security Operations showed that more than a third (36%) of the organizations surveyed the Russian have already included support measures safety in the development cycle ON and have developed some practice. At the same time time, experts emphasized that they lack information about practical implementation cases (35%), processes (22%), tools (20%), formal methods and DevSecOps architecture (18%). Therefore, most of the changes in PT Application Inspector 4.0 were aimed at making the work of analyzing code security more understandable - for both specialists in and INFORMATION SECURITY for developers.

The presented version of PT Application Inspector, in addition to the existing support, OS Windows includes work with the OS. Linux According to Positive Technologies experts, about 83% of developers in the world prefer to use Linux operating systems for work, and in the Russian market - Astra Linux an official distribution Debian - is one of the most common operating systems in. public sector Thus, companies using Linux and organizations interested in optimizing costs can now work with the product, since IT:

• Linux-based systems are open, source code distributed mostly free of charge in the form of ready-made distributions and less resource-intensive;
• Working in Docker containers reduces the labor required to configure, maintain, and maintain PT Application Inspector 4.0 by automating some of these operations.
• the product has no restrictions on the number of users or projects - scanner vulnerabilities from Positive Technologies, participants in distributed commands can use at the same time.

In PT Application Inspector 4.0, the scan results can be accessed in the web version, which allows the entire team to work with the vulnerabilities found without deploying additional software on the workstation.

PT Application Inspector 4.0 Web Interface

PT Application Inspector combines key analysis methods with abstract interpretation technology for high accuracy and minimal false positives. So, according to the benchmark of the international community Open Web Application Security Project (OWASP), PT Application Inspector has an average code analysis score of 85% - shows 100% true positive and 14.7% - false positive; in this indicator, PT Application Inspector, according to the company, is ahead of most of the code analyzers on the market. The product automatically creates harmless exploits, thanks to which you can confirm the vulnerability and prove the possibility of exploiting it in a real attack.

PT Application Inspector Quality Assessment Results Based on OWASP Benchmark Public Code Scan

"Unprotected applications pose a real risk to business. According to a study by Positive Technologies, in 2021, 100% of the applications analyzed by our experts identified vulnerabilities that made it possible for attackers to conduct attacks on clients of various levels of complexity. PT Application Inspector 4.0 combines four code analysis technologies: SAST, DAST, IAST and SCA, and thereby provides high quality analysis, as confirmed by the OWASP benchmark and cases over the nine years of the existence of PT Application Inspector, "- tells Denis Korablev, Managing Director, Product Director, Positive Technologies.

The presented version of the product adds support for the TypeScript language - it is one of the ten well-known programming languages ​ ​ in the world and is used to create both client (frontend) and server (backend) parts of web applications. TypeScript became the second, after JavaScript, language that the product supports based on the JSA vulnerability scanning module (Just Static Analyzer static analysis technology). The JSA module is versatile and flexible in terms of performance - it can be used for quick and thorough code analysis. Positive Technologies plans to translate all supported languages ​ ​ to this module and switch to IDE plugins, which allow you to analyze the security of the application right in the process of writing code.

2019: Application Software Vulnerability Analysis Report

On December 18, 2019, Positive Technologies announced that the PT Application Inspector has updated the set of pre-configured reports. Now, based on the results of the work, the analyzer, among others, issues a report that meets the requirements of the Bank of Russia on the analysis of vulnerabilities in application software used for financial transactions. This report may be evidence of an analysis of vulnerabilities in accordance with the requirements of OUD4 GOST 15408-3-2014, adopted by auditors and the regulator.

Starting January 1, 2020, the Bank of Russia regulations come into force, according to which financial institutions will be required to analyze the vulnerabilities of application software that is used for payment and other financial transactions. At the same time, the software must correspond to the estimated level of trust (DMA) not lower than the fourth - the requirements for trust levels are described in GOST 15408-3.

According to this standard, software developers must implement a certain set of security functions in their products, prove their performance and ensure that attackers cannot disable or bypass them. Accordingly, financial institutions must develop their own applications and analyze vulnerabilities in accordance with OUD4 requirements.

In practice, this means the need to scan the source code, which will detect vulnerabilities, and re-scan to confirm their elimination. Based on the results of this work, the software developer (that is, a financial institution) prepares a report in any form. It's a time-consuming process. The PT Application Inspector (PT AI) allows you to optimize the preparation of the OUD4 compliance report.

PT AI allows you to automatically scan the source code of a financial application, and then re-check already modified sections of code to save time. In addition, it allows you to create exploits to check for vulnerabilities found, that is, in the context of OUD4 requirements, developers can confirm that the vulnerabilities found can actually be exploited, says Anton Alexandrov, Head of Positive Technologies Application Security Business Development

The system automatically finds vulnerable libraries, conducts dynamic and static code analysis. As a result, PT AI can find both known and unknown zero-day (0-day) vulnerabilities. Based on the results of the operation, the analyzer issues a report in a convenient format that meets the requirements. Bank Russia For the auditor and regulator, it is this report that can prove the analysis of vulnerabilities and compliance with the OUD4 requirements.

2018

PT Application Inspector received FSTEC certificate

On September 20, 2018, the company Positive Technologies announced that source code the company's PT Application Inspector was successfully tested in a certification system. FSTEC Russia Certificate of Conformity No. 4000 is valid until September 3, 2023.

As noted in Positive Technologies, the certificate confirms that PT Application Inspector meets the requirements of the guidance document "Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control of undeclared capabilities "according to the 4th level of control, as well as the declared technical specifications.

Technology description

According to information for April 2018, the use of abstract interpretation technology allows PT AI to filter out false positives and automatically confirm the possibility of exploiting the discovered vulnerabilities. The same technology underlies the behavioral analysis of mobile applications for iOS and Android (for applications written in C# using Xamarin and Android Java) performed by PT AI.

PT AI provides the highest vulnerability detection accuracy by combining multiple analysis methods along with developments in filtering and vulnerability validation. The solution allows you to identify security flaws at different stages of development and supports both web and mobile applications.

The difference between the PT AF self-learning firewall is that it is able to eliminate threats without updating the software of the protected application. The virtual patch engine blocks attacks through known vulnerabilities before unsafe code is fixed. Together with the PT AI source code analysis system, this function provides a continuous process of identifying and blocking vulnerabilities. In this case, instead of using the classic signature method, PT AF analyzes network traffic and system logs to create an up-to-date model of application performance and, based on it, detects abnormal system behavior. In combination with other protective mechanisms, this allows you to block 80% of zero-day attacks out of the box without special configuration and adaptation for a protected application system.

The PT Application Firewall and PT Application Inspector communicate efficiently with each other and can be used on equipment from different manufacturers. For example, the PT AF firewall is fully compatible with the Cisco Unified Computing System Express platform.

When systems are shared, the PT AF firewall can receive information about the presence of vulnerabilities in the application directly from the PT AI source code analysis and vulnerability detection system, which implements a unique hybrid approach that combines the advantages of static, dynamic and interactive analysis, as well as using a huge vulnerability knowledge base accumulated by Positive Technologies experts.

2016: PT Application Inspector 2.4

On June 28, 2016, Positive Technologies announced the release of the PT Application Inspector 2.4 version of the source code security analyzer.

The modified version of the system contains more than 60 changes aimed at increasing the efficiency and ease of use of the product. PT Application Inspector 2.4 adds syntax highlighting, improves diagnostic information output, and checks all source code vulnerabilities in the deployed application with one click.

Hundreds of vulnerabilities can be found in the source code. A lot of time was spent checking them in the assembled application. Automatic validation of source code vulnerabilities and other new features can reduce labor costs by 20-30%. Anton Volodchenko, Head of Application Analysis Quality Assurance at Positive Technologies

PT Application Inspector version 2.4 has upgraded the Report Wizard. The user can create reports in OWASP Top 10 and PCI DSS reports containing only automatically confirmed vulnerabilities. In addition, the new version allows you to generate your report types using XSLT. The development of this functionality helps in the certification of the code to simplify the fulfillment of the requirements of regulatory bodies, including RS BR IBBS 2.6, orders FSTEC No. 17 and 21, requirements on the absence of NDV.

The PT Application Inspector knowledge base continues to develop: support for additional types of vulnerabilities is implemented, such as Cookie Injection, ORM Injection, LINQ Injection, time-based injections for MSSQL, HTTP Request Splitting.

This version has improved compatibility with various programming languages ​ ​ and platforms. The depth and speed of analyzing web applications in PHP has been increased - due to the fully updated vulnerability search engine in PHP code; Enhanced support for the Hibernate Library for Java to provide more accurate data on web application vulnerabilities. added support for C# 6.

To safely check web applications, the product uses a blackbox scanner that dynamically analyzes the web application using a black box method on the test bench. The efficiency and convenience of such scanning has increased significantly thanks to the use of an arbitrary set of headers and cookie authentication. In addition, the search for SQL injections in blackbox scanning was optimized.

Unprotected web applications are a huge problem for government institutions, large and small businesses. So, in 2015, critical vulnerabilities were discovered by our researchers in 71% of web resources. We contrast the expanding range of threats with the high efficiency of PT Application Inspector 2.4, which has become more accessible. No expert qualification is required to work with the product, and new types of licenses will be of interest not only to organizations with large volumes of software development, but also to companies that analyze code once or twice a year or scan a small number of applications. Oleg Matykov, Head of Application Security at Positive Technologies

2015

PT Application Inspector and PT Application Firewall are security solutions for RBS and ABS systems, as well as corporate applications and e-government portals. As of February 2015, products are used to protect web applications and provided online services not only in Russia, but also in India, Italy, Korea. Companies such as Megafon and Postel (a division of the Italian state postal service) are already using Application Security products.

As practice shows, the main target of cybercriminals today is application services, which have become an integral part of the IT systems of large and medium-sized businesses. Web technologies are increasingly used: Internet banking, mobile services for customers, portal ERP solutions for interaction with suppliers, online services of telecom operators, remote terminals. APCS However, they not only increase efficiency, business processes but also give new opportunities to attackers.

According to a study by Positive Technologies, in 2014, over half of information security incidents in large Russian companies were related to the Internet, most of them leading to serious problems, including financial and reputational losses. The situation is not affected by the use of traditional firewalls and intrusion prevention systems by companies. Attackers successfully bypass classic signature protection methods by exploiting zero-day vulnerabilities. Fixing detected errors and vulnerabilities in business applications and installing updates in ERP, APCS, RBS systems can take months, and sometimes more than a year, and all this time the vulnerability remains uncovered.