Developers: | Solar (formerly Rostelecom-Solar) |
Date of the premiere of the system: | 2015/10/29 |
Last Release Date: | 2024/07/02 |
Technology: | Application Development Tools |
Solar appScreener (formerly Solar inCode) is an application analyzer for vulnerabilities and undeclared features (NDV).
2024: Solar appScreener 3.14.9
On July 2, 2024, Solar Group of Companies, the architect of integrated security, announced the release of an updated version of the Solar appScreen application security control solution. Key modifications to this version are related to changes in the module for analyzing third-party SCA components, reduction of false positives and integration with ASOC class solutions.
According to the company, in version 3.14.9, a combined SCA and SAST analysis appeared for Java, Python, JavaScript, Go, C# languages, the list will expand. It allows not only to detect vulnerabilities in third-party libraries, but also visualizes the call path of these libraries in the code. This helps determine which vulnerabilities are real and saves developers time verifying them.
In the updated version of Solar appScreener, the SCA (Software Composition Analysis) module detects all third-party components using its own vulnerability database, which is regularly updated by experts from Solar Group. To minimize the number of false positives, the proprietary Fuzzy Logic Engine technology is used, which allows you to prioritize the identified vulnerabilities based on the EPSS rating. More useful information about vulnerable components has also emerged. Now users receive information about vulnerable versions of libraries, links to useful resources and advanced mapping, taking into account domestic standards for classifying vulnerabilities. In addition, the dependency tree is added - an interactive graph that clearly demonstrates the structure of components in the project.
{{quote 'author
= noted Anton Prokofiev, Solar appScreener Security Control Expert, Solar Group|The use of open source applications and libraries has increased significantly recently. According to the Linux Foundation, 70% to 90% of modern applications contain open source software, which opens up ample opportunities for cybercriminals to attack. One of the last striking examples is
backdoor in the XZ Utils utility for Linux, which allows you to gain unauthorized remote access to the entire system. Since open source is equally accessible to everyone, including attackers, this poses a serious risk of targeted injection of vulnerabilities into open source libraries. Thus, it is crucial to check for vulnerabilities not only your own code, but also third-party components.}}
Another revision of version 3.14.9 is to combine all third-party analysis technologies (SCA, SCS, license risk analysis, combined SAST and SCA analysis) into a single OSA (Open Source Analysis) module. The OSA module in Solar appScreener is a next-level tool suite that combines mature technologies and its own vulnerability base. Now all technologies for analyzing third-party components can be found in a single tab in the interface, and running scans will be more convenient and transparent.
It became possible to integrate solutions for orchestrating application security (ASOC) - DefectDojo and AppSecHub. These platforms combine the results of multiple analyzers into a single interface, providing development teams and security professionals with a complete picture of the application security state. Thanks to these tools, Solar appScreener users can work with the results of all types of analysis in one interface.
The updated version of the product supports OWASP ASVS, OWASP MASVS, CWE/SANS Top 25 2023 standards. Users can now generate reports according to these international classifications. It also implements the ability to build Java projects from source code with its own tools, which optimizes code assembly for deeper analysis.
In addition to the previously mentioned developments, the updated version implements a number of changes to improve user experience with the system. For example, the Moderator system role and role templates appeared. You have manually deleted projects and scans in the settings. In addition, the code preprocessing step for static analysis is optimized. This step optimizes the files you download and converts them to a readable format. This eliminates analysis problems that can occur when large files are downloaded. Preprocessing helps to make the code clear and makes it easier to identify problems. Also in version 3.14.9 they implemented support for the Jenkins, TeamCity, Azure and CLT plugins for DAST and OSA modules.
The number of supported Solar appScreen languages for June 2024 is 36. The scanner automatically detects the language in which the code is written, and can also check programs written in several languages at once. Updated version replenished with vulnerability search rules for 15 programming languages, including 1C, PHP, Python, etc.
2023
Add Software Supply Chain Security Analysis Module
In Solar appScreener, application security control has been strengthened by the software supply chain security analysis module. Solar (formerly Rostelecom-Solar) announced this on December 4, 2023.
According to regulators and information security experts, as of December 2023, supply chain attacks are one of the most popular attack vectors. Adding the Supply Chain Security (SCS) module to the complete Solar appScreener solution enables proactive code protection.
This SCS module allows you to analyze security components at all stages of the path along which the software enters the organization, from the moment they are created or purchased updates to the stage of use. Specialists of the Solar Group (a subsidiary of Rostelecom working in the field of information security) using artificial intelligence tools analyze data from open sources and predict the risks associated with the authorship of third-party components.
Supply chain analysis allows you to check the level of trust in the external components used based on 8 metrics (author's reputation, community activity, attention to security, etc.), as well as issue a security rating of the library used based on these metrics.
As a rule, analysis of each third-party component by information security specialists is carried out manually or using tools for analyzing the composition of third-party components (SCA). The implementation of the SCS method greatly optimizes this process. The use of supply chain security analysis technology in the complete Solar appScreener product allows you to scan SBOM files and obtain an overall rating of trust in components. Based on this rating, a decision is made to ban or allow the use of the component in development, "said Anton Prokofiev, an expert on security control of Solar appScreen software at Solar Group. |
With the addition of this module, the existing functionality of the Solar appScreener product has also expanded, which is a solution that combines three key types of analysis in a single interface - static (SAST), dynamic (DAST) and software composition analysis (SCA), which provide comprehensive control of secure application development.
In the updated version, the SCA module was supplemented with a license risk analysis, which allows you not only to find out what vulnerabilities are in the third-party library, but also to understand whether it can be used in accordance with its license policy.
More than 100 new vulnerability scanning rules have been added to the SAST module, as well as statistics on security classifications. Now information about violated points of international and domestic standards is presented in a visual format on the "Overview" page of the scan.
And the DAST module has a method of authorization through headers, as well as the ability to select a scanning mode, which allows you to configure the aggressiveness of attacks in one click depending on the scan targets.
In addition, Solar appScreener can be deployed both on the organization's own computing power and used as a service from the cloud using the SaaS model.
Appearance of software composition analysis module
Solar appScreener has expanded its code analysis functionality by introducing a software composition analysis module. Rostelecom-Solar (formerly Solar Security) announced this on June 30, 2023.
So Solar appScreener has become a solution in which three key types of analysis are available in a single interface - SAST, DAST and SCA, which provide comprehensive control over secure application development.
The SCA module allows you to speed up the detection and elimination of vulnerabilities. The system independently detects all third-party components using large vulnerability databases, as well as its own data registry, which is regularly updated by company experts. To minimize the number of false positives, your own Fuzzy Logic Engine technology is used.
Applications and libraries open source with over the past year have become one of the most pressing threats, information security- said the Daniil Chernov director of the Solar appScreen Center of RTK-Solar. - By, from to data Linux Foundation 70% to 90% of applications contain open source software, and source code vulnerabilities in third-party components open up great opportunities for attackers. Suffice it to recall the story of a discovered vulnerability in the library, Apache Log4j which is used in millions of enterprise applications. In addition, cases of intentional injection of malicious code into Open Source have become more frequent. Therefore, it is very important to check not only your own code for vulnerabilities, but also third-party components. |
The updated version of the product added support for OWASP MASVS vulnerability classification and updated the supported version of PCI DSS from 3.2.1 to 4.0. The database of vulnerability search rules for Java and C# has been significantly expanded, and vulnerability search patterns have been added for a number of programming languages. As of July 2023, there are 36 supported languages. The scanner automatically detects the language in which the code is written, and can also check programs written in several languages at once.
In addition, a number of changes have been made to improve the user's experience with the system, for example, interactive prompts now appear when you first log in. The ability to manage the scan queue allows you to assign a scan priority and track the queue on a new page in the Projects section when running the analysis. They also simplified the work of security officers in companies that implement the solution into secure development processes, adding the ability to automatically create tasks in Jira based on the results of scanning.
Changing the logic of working with LDAP users simplifies the process of controlling access to the system of employees connecting with this protocol, and also monitors the number of users that is allowed under the existing license.
Solar appScreener's capabilities allow it to be integrated with repositories, development environments, bug tracking systems, and CI/CD services. Maximum automation and continuity of the process of identifying and eliminating vulnerabilities is a need for software companies.
2022
Solar appScreener 3.12 with the introduction of the software static and dynamic security analysis correlation module
The company RTK-Solar"" presented on December 7, 2022 an update to Solar appScreener, a comprehensive solution for control safety software information and systems. In the updated version, it is possible to correlate the results of static code analysis (SAST) with the results of dynamic (scannings DAST). Their correlation will reduce the number of false positives. Due to this, the attention of users will be focused primarily on those vulnerabilities and ODEs that are confirmed and the elimination of which is the task of the first priority.
In addition to static code analysis (SAST), Solar appScreener 3.12 provides the ability to perform dynamic scanning (DAST) of the application. Dynamic analysis identifies vulnerabilities through emulation of external attacks. According to the response from the application, the system concludes whether there are vulnerabilities in it. Static analysis does not execute the program, but analyzes all its code. A feature of the method is to cover more vulnerabilities.
To check the application in Solar appScreener 3.12, just specify the application URL and run the scan. Based on the results of the correlation between the results of the two analysis methods, the Solar appScreener 3.12 user provides a single report. It reflects vulnerabilities and NDV detected using static code analysis, and separately highlights those that were confirmed by dynamic testing of the application. The report, as before, contains detailed recommendations for correcting detected errors and improving the safety of the tested software.
Previously, software security experts have to manually correlate the scan results performed using separate SAST and DAST solutions. By developing correlation algorithms for the results of two analysis methods, it was possible to reduce the number of false positives and achieve more accurate search results for vulnerabilities and NDV. This will significantly reduce the processing time of vulnerability analysis results obtained from two different SAST and DAST tools, thereby reducing the burden on specialists responsible for the security of applications and information systems. It is also planned to develop the correlation module by adding other technologies, which will allow you to even more effectively identify vulnerabilities in the software. noted Daniil Chernov, director of the Solar appScreen center of RTK-Solar.
|
The updated version of Solar appScreen has made a number of changes to improve the user experience when working with the analyzer. In particular, the interface now displays the process of downloading files for analysis, which will avoid errors when loading large projects. In addition, working with vulnerability groups has been improved, so that the user can select any vulnerabilities in the list and change the status/criticality or leave a comment for the entire group. In addition, work with private repositories was optimized thanks to integration using autorotation tokens and SSH keys from the Solar appScreen interface.
The logic of working with report export templates has changed in the update. You can create a global template that is not linked to a specific project. Starting with Solar appScreener 3.12, users will be able to run scheduled scans and configure automatic reporting by specifying the addresses of specific recipients. Solar appScreener supports 36 programming languages and 9 executable file formats and is a world expert on this indicator. The updated version of the solution added vulnerability search patterns for supported programming languages, expanded the rule base for Android, improved taint analysis for Python, and support for Java 17 projects. In addition, the ability to scan only from the source code of the Java application has been added and support for the Symphony framework of the PHP language has appeared.
Patent for a system and method for static analysis of executable binary code and source code using fuzzy logic
RTK-Solar announced on November 29, 2022 that it had received a patent from the Federal Intellectual Property Service for a system and method for static analysis of executable binary code and source code using fuzzy logic. The technology is used in the Solar appScreener code analyzer and is designed to minimize the number of false positives. The patent is valid until 2041.
Solar appScreener is a static application security analyzer. Its capabilities allow you to identify vulnerabilities and undeclared capabilities by highlighting them in the code of the application being tested. A distinctive feature of the RTK-Solar solution is the static analysis of not only the source, but also the binary code (executable files). This provides better and faster results than dynamic code analysis.
To minimize the number of both false positives and skipping vulnerabilities in the code, Solar appScreen has Fuzzy Logic Engine technology. It uses the mathematical apparatus of fuzzy logic and is the technological know-how of RTK-Solar. The parameters of filters operation are determined by the knowledge base, which is constantly updated based on the results of the studies. The security officer can independently work with filters to reduce the number of false positives and omissions of vulnerabilities and NDV. Fuzzy sets and fuzzy logic are generalizations of classical set theory and formal logic. The theory appeared due to the presence of fuzzy and approximate reasoning when a person describes processes, systems or objects.
The number of false positives and missing vulnerabilities is one of the key characteristics of the code analyzer, so improving the Fuzzy Logic Engine is very important for product development. The technology that formed the basis of this mechanism originates in my thesis on algorithms for analyzing information risks. It was later modified into a technology for processing vulnerability scanning rules, told Daniil Chernov, Director of the Solar appScreen Center of RTK-Solar.
|
The RTK-Solar solution is actively used domestic in foreign companies that are engaged in their own development, both as a separate and as a central element of scanner the secure development system. Solar appScreener also often select testing laboratories that provide certifications ON compliance services. information security Customers note the intuitive interface of the analyzer, which is designed, among other things, for specialists without development experience. Solar appScreener not only highlights vulnerabilities and undeclared features identified in the code, but also gives detailed recommendations for fixing them.
Obtaining Russian FSTEC certificate for compliance with the Requirements
The static code analyzer Solar appScreener has received a certificate from the FSTEC of Russia for compliance with the Requirements for the 4th level of trust (hereinafter UD4) and technical conditions. This was announced by the company "Rostelecom-Solar" on June 14, 2022. The document confirms that the Solar Security Monitoring software meets the information security requirements of the Information Security Tools and Information Technology Security Tools. Due to the fact that Solar appScreener has a UD4 certificate for Trust Requirements, the solution can be used in organizations with high criteria for the security of the software used - including those organizations where there are significant objects of critical information infrastructure (OCII).
Solar appScreener is developed by RTK-Solar and is designed to analyze program code for vulnerabilities and undeclared features. The solution supports 36 programming languages and by this indicator is the leader among such systems. Among the features of Solar appScreener are the ability to analyze executable files in the absence of access to the source code, as well as a patented technology to reduce false positive and false negative positives - Fuzzy Logic Engine. In addition to highlighting vulnerabilities in the code, the analyzer provides detailed recommendations for fixing and configuring security features. Solar appScreener can also integrate with various repositories, systems and services to provide secure development processes. Information protection tools that correspond to the 4th level of trust are used in significant objects of the critical information infrastructure of the 1st category, in state information systems of the 1st class of security, in automated control systems of production and technological processes of the 1st class of security, in personal data information systems if it is necessary to ensure the 1st level of security of personal data, as well as in public information systems of the 2nd class. Thus, customers who have such objects can use Solar appScreener.
To ensure the maximum protection of sensitive information of Solar appScreener customers, RTK-Solar has applied for the re-issuance of a certificate for compliance with the new Trust Requirements. Based on the results of the tests in the laboratory of FSUE NPP Gamma, on January 31, 2022, a positive conclusion was received on the compliance of the software with the UD4 Trust Requirements, on the basis of which FSTEC of Russia reissued the certificate of conformity to Solar appScreener.
The security of state information systems and other critical information infrastructure facilities is a matter of strategic importance. In the context of increased activity of cybercriminals, aimed, among other things, at CII facilities, it is especially important to pay attention to all aspects of information security. Source code analysis can prevent attacks that are implemented through software vulnerabilities. For us, as a company working with many state customers and other subjects of CII, it is extremely important to provide the organization with a solution that meets all the current requirements of state supervisory bodies, including FSTEC of Russia, " noted Daniil Chernov, Director of the Solar appScreen Center of RTK-Solar.
|
Solar appScreener 3.11 with OWASP 2021 classification, SARIF reporting and filtering by package and file
On April 19, 2022, Rostelecom-Solar introduced the Solar appScreen 3.11 version of the security code analyzer.
The Solar appScreener team monitors emerging software security threats by updating the search vulnerability databases in the product. At the same time, Solar appScreen version 3.11 has up-to-date classifications of serious security vulnerabilities in web applications, such as OWASP Top10 and CWE/SANS 2021.
The SAST analysis tool has the ability to upload reports in editable DOCX and SARIF formats. The latter is a unified format for exchanging JSON-based static analysis results to output static analysis tools. Since automation is important for building DevSecOps, a single format simplifies the interaction of infrastructure development components with a static analyzer.
Solar appScreener 3.11 has implemented functions for working with detected vulnerabilities. The system has the ability to filter by belonging to a package, file, vulnerability source and exploitation point. Flexible parameters allow you to selectively analyze the necessary elements of large projects without creating additional load.
"In the development of the product, our team, first of all, focuses on user feedback. At the request of customers in the latest version, we have expanded support for 1C. The database of vulnerability search rules for this language has increased by 40%, " |
Other additions include the ability to run projects on a schedule from the Solar appScreenwriter interface. Prior to this, users could configure scheduled scanning via CI/CD components. Since most companies do not have CI/CD servers, the security scanner developers have added scheduled analysis from the product interface.
Adding a CVE-2022-22965 vulnerability to the database that affects the operation of the Spring open source Java framework
On April 8, 2022, Rostelecom-Solar announced an update to the Solar appScreen application code analyzer vulnerability scanning database. The update includes a critical CVE-2022-22965 vulnerability that affects the Spring open source Java framework. The bug allows you to remotely execute arbitrary code without authentication, so that CVSS assigned it a threat hazard score: 9.8/10 points.
The vulnerability identified in the Spring Core module allows binding data in http the request to the application object fields. The bug is contained in the implementation of the getCachedIntrospectionResults method, which can be used to unauthorized access to these objects when passing class name data of these objects through the specified HTTP request.
The vulnerability is present in Spring MVC and Spring WebFlux applications running the Java Development Kit (version 9 +), the exploitation of which could compromise a huge number of servers. The highest threat is faced by enterprise Java applications based on the Spring Framework with root rights, since a vulnerability in them allows you to compromise the entire system. The vulnerability CVE-2022-22965 fixed in Spring Framework versions 5.3.18 and 5.2.20.
The current situation is dangerous because many organizations do not have a process for monitoring vulnerabilities, and despite the promptly released patches and the distribution of recommendations for eliminating vulnerabilities, some companies are still under threat, said Daniil Chernov, director of the Solar appScreen Center of Rostelecom-Solar. - Our research laboratory monitors the emergence of zero-day vulnerabilities, and the development team quickly reflects them in the Solar appScreen vulnerability search database. So, since the beginning of April, the database of vulnerability search rules has been constantly replenished with other detected bugs in Spring: CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22950, |
2021
Add zero-day threats to the search database Log4Shell
On December 22, 2021, the company Rostelecom-Solar"" presented an updated search database for vulnerabilities the Solar appScreener SAST analysis tool, complementing it with zero-day vulnerabilities discovered in the Apache Log4j library. The Apache Log4j library is used by millions of enterprise applications and for Javaservers logging error messages. The vulnerabilities in it were called Log4Shell (LogJam, LogJ are also found) and belong to Remote Code Execution (RCE), Local Code Execution (LCE). In addition, the possibility of implementing Denial of Service (DOS) attacks has been discovered.
According to the company, before the addition, the Solar appScreen policy identified any untrusted data people who were recorded in the magazine and defined them as a vulnerability of the type "Log file Forging." As of December 2021, the code analysis tool has been updated with additional rules, which allows you to separately emphasize Log4Shell vulnerabilities within the framework of discovered vulnerabilities of the type "Log File Forgery."
As of December 2021, companies around the world are using the vulnerable Apache Log4j library in the development of Java products. If we add to this fact a low complexity of exploiting vulnerabilities, we get a large number of vulnerable systems and a large number of attackers who, without having complex technical skills, can hack these systems. The problem is aggravated by the fact that many organizations do not have a process for monitoring vulnerabilities, so despite the presence of security patches and recommendations for fixing vulnerabilities, some organizations are still at risk. Our research lab monitors Log4Shell vulnerabilities, and the development team quickly reflects them in the Solar appScreener vulnerability search database. told Daniil Chernov, Director of the Solar appScreen Center of Rostelecom-Solar |
Rules have been added to the Solar appScreen analysis scanner database to search for all Apache Log4j library vulnerabilities identified by December 2021:
- CVE-2021-44228 (CVSS hazard assessment: 10/10 points) is a critical remote code execution vulnerability that affects Log4j versions 2.0-beta9 to 2.14.1. The problem has been partially fixed in patch 2.15.0. The vulnerability makes it possible in Java-based applications and servers that use the Log4j library to save a specific string in logs. When an application or server processes logs, a string can cause a vulnerable system to download and run malicious code. As a result, the attacker manages to gain full control over the vulnerable application or server. After that, the attack can develop further. Apache Software Foundation developers have released an emergency security update - since version 2.15.0, the problem has been partially fixed. Version 2.15.0 does not take into account some log processing options, which leaves attackers with the ability to attack a vulnerable system. Patch 2.15.0 closes the flaw by disabling lookup JNDI messages. In non-default configurations, it can be used to create malicious input using the JNDI lookup template. This can lead to a Denial of Service attack and arbitrary code execution. A separate CVE-2021-45046 ID has been assigned to this scenario. Operation of the CVE-2021-44228 is possible if the log4j2.formatMsgNoLookups parameter is set to false. To prevent attacks in the Log4j 2.15.0 patch, this setting is set to true. When updating 2.15.0, do not change the parameter to false. Users of the Log4j library who have not updated but set to true can block attacks.
- CVE-2021-45046 (CVSS hazard assessment: 9/10 points) - a critical vulnerability allows you to conduct DoS attacks and remotely execute code. The problem affects versions Log4j from 2.0-beta9 to 2.15.0 (exception - 2.12.2). In Log4j version 2.15.0, it was possible to exploit the CVE-2021-44228 vulnerability under certain user configuration settings. Only one aspect of JNDI's message search functionality was disabled in it. In update 2.16, JNDI support was disabled by default, message search processing was completely removed.
- CVE-2021-45105 (CVSS hazard assessment: 7.5/10 points) is a dangerous DoS vulnerability in Java 8 systems that can cause a denial of service error and manifests itself in the form of looping and emergency termination when processing certain lines. The vulnerability affects Log4j versions 2.0-beta9 to 2.16.0. The listed versions lacked protection against uncontrolled recursion, which allowed the attacker, while manipulating the value during substitution, to cause looping. The looping led to the exhaustion of space on the stack and the emergency completion of the process. The patch was released in version 2.17.0.
- CVE-2021-4104 (CVSS hazard assessment: 8.1/10 points) - an unsafe deserialization vulnerability affecting Log4j 1.2 versions. This vulnerability affects Log4j 1.2 only if it is specially configured to use JMSAppender, which is not the default. The patch is missing and must be upgraded to version 2.17.0.
Solar appScreener 3.10 with enhanced system access security
On November 01, 2021, Rostelecom-Solar introduced the Solar appScreen 3.10 version of the code analyzer. Among the key changes - additional secure access measures were introduced, it became possible to suspend scans, the database of vulnerability search rules was updated.
Solar appScreener 3.10 has a limit on the number of attempts to enter incorrect accounts. In data the default settings, after the fifth attempt to enter, the account is automatically blocked. The system administrator can change the number of attempts to enter incorrect data or disable this option in the settings. In addition, a requirement for a regular shift was added. password The password in the basic configuration is valid for three months, but can be adjusted if necessary by the administrator. The password change requirement can be disabled.
Rostelecom-Solar specialists added the possibility of suspending scans to version 3.10. This allows you to prioritize the order of analysis of projects, so that you can speed up the analysis of the necessary applications if many projects are running on the system at the same time. At the same time, the resumption of suspended scans occurs without losing the achieved progress. You can pause or resume the analysis on the "Home page" or in the "Scans" section.
"Each product release is the result of deep and lengthy analytical work. When researching the needs of users, market trends, regular threats and ways to implement features in a product, we always focus on the main thing. Thanks to this, Solar appScreener is one of the fairly functionally developed code security scanners on the market, "- notes Daniil Chernov, Director of the Solar appScreen Center of Rostelecom-Solar. |
Traditionally, each update optimizes the database of vulnerability scanning rules. In particular, Solar appScreen 3.10 includes additional search rules in the Dockerfiles and docker-compose.yml configuration files. In addition, version 3.10 added the ability to create patterns for the C++ language in XML format. Now users will be able to create their own vulnerability search rules, upload them to the system through the interface and apply them when analyzing C++ projects. For detailed requirements for the rule format, see About the Product. The rules for searching for vulnerabilities in Delphi applications were also supplemented, which improved its support.
At the same time, the changes affected the JVM analysis module - rules for finding the reuse of cryptographic keys were added and performance was optimized.
Red OS Compatibility
Rostelecom-Solar The Solar appScreener static code analysis tool developed by the company has been tested for compatibility with, RED OS operating system based on. kernels Linux The correctness of the work is confirmed by a two-sided certificate. This was Red Soft announced on October 26, 2021.
Solar appScreener and RED OS are certified by the FSTEC of Russia and included in the Unified Register of Domestic Software, which confirms their compliance with information security requirements and allows use in state information systems.
Import substitution is one of the priority national tasks. The state stimulates the development of Russian information technologies, supporting the transition of state structures and state-owned companies to domestic developments. One of the tasks of Rostelecom-Solar as a participant in the Russian IT market is to help organizations make an unhindered and safe transition to domestic software. Technological partnership with developers of domestic operating systems is an important step for us in this direction, - said Daniil Chernov, director of the Solar appScanner Center of Rostelecom-Solar. |
{{quote 'The creation of an independent IT infrastructure is the main task of the information technology market. It is IT professionals who must develop a secure ecosystem, ensuring the completeness of the stacks being implemented. Completeness for us as a developer of the RED OS operating system means compliance of our product with customer requests, including compatibility with specialized software, which, for example, is Solar appScreener. We thank our partners for their cooperation, - said Rustamov Rustam, Deputy General Director of RED SOFT. }}
Solar appScreener 3.9
On April 15, 2021, the company Rostelecom-Solar"," a national provider service and technology company, cyber security presented an updated version of the Solar appScreen 3.9 code analyzer. The update includes language support. programming Dart For the convenience of working scannings with code data, the ability to upload reports in CSV format has been added. In the updated version, it is also possible to manually select for files analysis, which will allow you to refuse to scan the code of the entire project if you need to analyze a specific area.
According to the company, in Solar appScreen 3.9, Rostelecom-Solar specialists have expanded the list of supported programming languages to 36. An analysis of the object-oriented programming language Dart is now available in this version. With its help, developers create mobile, server and web applications. At the same time, as part of the development of support for current languages, Rostelecom-Solar specialists added an analysis of the Vue.js framework for JavaScript and Flask for Python.
In the updated version, the changes also affected the reporting format. Starting with Solar appScreen 3.9, it is possible to export a report in archive format with CSV files, which allows users to work more flexibly with data: filter them by specific categories, as well as obtain analytical conclusions, build graphs based on the obtained values. The ability to receive a PDF report will remain, but it is more difficult to work with information in this format, since the data is uploaded in a static form.
Solar appScreener 3.9 has the ability to select specific files for analysis. When you send an application for scanning, you can see which files will be analyzed, and if necessary, manually exclude unnecessary files if they do not need to be analyzed. If the user chooses to scan the entire project, the code analyzer will identify a set of files in the loaded directory, and then analyze each of them for vulnerabilities and undeclared features. After completion, the scan results are available in the interface in the "Overview" section or in the format of a separate report with statistics on these files.
In the presented update, it became possible to run several scans at once in the same project with different settings, prioritizing them in order. All software security analysis statuses are available in the Scans section.
In addition, Rostelecom-Solar specialists have added the ability to delete project scans. In the version, the user can either archive or delete the scan irrevocably. At the same time, the analysis launch form was optimized - in the update, the file selection and the field for the application link are combined into one tab, and you can now start scanning the project from the Scans page.
In Solar appScreener 3.9, the developers added search patterns and supplemented vulnerability descriptions for supported programming languages.
Support for LotusScript in Solar appScreener 3.8
Rostelecom-Solar, a national provider of cybersecurity services and technologies, on January 25, 2021 announced the release of the next version of the Solar appScreen 3.8 code analyzer. The update presents the functionality of experimental analysis, which allows system users to test in action the latest capabilities for detecting vulnerabilities in the code, which are under study by the system developers. Support for programming languages has also been expanded by analyzing applications in LotusScript, and an information level of vulnerability criticality has appeared in the analyzer interface.
To quickly deliver technological innovations to users, Solar appScreener 3.8 added an analysis mode for applications written in languages, and Java Scala. Kotlin It is based on a complex mathematical one that algorithm allows you to increase the accuracy and number of results obtained when scanning the code, - said the Daniil Chernov director of the Center for Security Solutions of ON the company "-Solar Rostelecom." - To enable this function during analysis, you must select the appropriate parameter in the interface. At the same time, our clients are guaranteed the preservation of the stability of the system's functioning developed over the years: if the user does not need an experimental analysis mode, he may not use it and continue to work in the same mode. |
In this version, the developers of Rostelecom-Solar have expanded the set of programming languages by adding an object-oriented LotusScript language, on the basis of which many systems operate IBM. HCL This language is used in the development To Europe USA of Lotus family applications - automation systems, business processes group activities in companies (corporate mail, chats, messengers etc.). LotusScript support is implemented to expand product development horizons in international markets. As of January 2021, Solar appScreener already has 35 languages.
A significant change in the version was the appearance in the classification system of vulnerabilities of the information level of criticality. The parameter is an indicator of poor-quality code, which is not yet a vulnerability, but in the future, if it is modified, gaps may form in the application. In earlier versions of the system, information about this could be found in the section "Vulnerabilities with a low level of criticality." Starting with Solar appScreen 3.8, the data is placed in a separate information block and no longer affects the overall security rating of the application.
At the same time, users of this version have the opportunity to independently create cards with vulnerability search rules in the system interface. This functionality is especially in demand by companies that have implemented a secure development process based on Solar appScreener. For example, using your own rules, you can find features in the code of developed applications that indicate the possibility of performing technical fraud in the system.
Now the user can independently create a card with a description, examples and recommendations for fixing the vulnerability, and then add his own search patterns in XML format. In this case, the rules specified in the system will no longer be available for editing: previously changed system rules are automatically converted to custom ones.
To comply with the regulatory requirements of certain international jurisdictions, Rostelecom-Solar specialists added the ability to view the user agreement (EULA) at any time, and not only when first logging in.
2020
Solar appScreener 3.7 with Integrated Development Environments
Rostelecom-Solar has released the next update to the Solar appScreen 3.7 application code analyzer. This became known on October 14, 2020. A key change in this version was support for integrated IntelliJ IDEA development environments from JetBrains and Microsoft's Visual Studio to fix vulnerabilities in earlier stages of software creation.
IntelliJ IDEA is a development environment for many programming languages, in particular Java, JavaScript, Python, developed by JetBrains. In turn, Visual Studio from Microsoft is a software development tool used to create web applications, websites, mobile applications and Windows programs. The support for IDE environments implemented in the updated version of Solar appScreener allows you to embed static analysis of applications for vulnerabilities in the development process already at the code assembly stage.
In addition to early detection of vulnerabilities, the authors of the system also worked to speed up the launch of scans. The "Settings" subsection for creating scan templates has appeared in the Solar appScreen personal account. The analyzer user can now save their scan preference templates and use them to quickly start projects.
Along with supporting the largest number of programming languages among all similar market solutions and expanding the integration capabilities of our product, we pay considerable attention to improving its functionality. The key changes are suggested to us by the users themselves, focusing on them, we strive to make Solar appScreen the most convenient code scanner, "says Daniil Chernov, director of the Rostelecom-Solar Software Security Solutions Center. |
In accordance with this goal, Solar appScreener 3.7 has supplemented and significantly improved the functionality of the user interface. So, in the "About the product" section, a system administrator's guide appeared. All instructions for installing, updating and configuring the analyzer can now be downloaded directly from the system interface, and not requested from the vendor.
In addition, the performance of the Detailed Results interface section has been improved: now the page loads faster, and it will be more convenient to work with a large number of vulnerabilities. And in the "Forms for creating/editing project groups, rule sets, patterns" section, the "Private" and "Public" radio buttons appeared, which allow you to customize the visibility of certain project elements at once for all users of the analyzer or only for a limited number of people. In previous versions, this functionality was represented by a less intuitive checkbox "For all users."
To improve the effectiveness of vulnerability detection in version 3.7, the developers supplemented the rule base with vulnerability search patterns for supported programming languages, and also expanded the descriptions of vulnerabilities.
Inclusion in Singapore Government Grant Program
Singapore ICT and media regulator IMDA (Infocomm Media Development Authority) has included the Russian Solar appScreen application code analyzer in the state grant program that small and medium-sized IT enterprises in the country can receive for the purchase of information security systems. Rostelecom-Solar announced this on September 17, 2020. The provider of the solution under this program is the Singapore partner Solar appScreenwriter - Athena Dynamics.
Singapore is actively encouraging small and medium-sized companies to implement digital solutions for productivity and business transformation. In this regard, IMDA considers one of the priority tasks for local IT vendors to ensure a high level of security of the technologies and solutions they create. In order for ICT companies to be able to quickly improve the security of the developed systems, the regulator launched the GoSecure Program grants program.
Under the program, Singapore IT small and medium-sized enterprises will be able to receive a grant for the purchase of cybersecurity solutions from the IMDA-approved list for further use in the development and implementation of their systems. The regulator will provide program participants with a subsidy of up to 80% of the cost of purchased information security solutions.
{{quote 'Static binary code analysis technology is a feature of Solar appScreener, which is in demand worldwide. We are pleased to offer the Singapore market the full range of capabilities of our system so that local IT companies can make their developments more secure, and therefore increase the attractiveness of their solutions in the eyes of customers. It is especially pleasant to receive such a high assessment from the regulator that chose our product for the program to support enterprises in its industry, - said Oleg Slepov, director of special projects at Rostelecom-Solar. }}
Solar appScreener is a static application code analyzer for vulnerabilities and undeclared features. A distinctive feature of Solar appScreen is the static analysis of not only the source code, but also executable files (binary code) without the debug info file. This provides better and faster results than dynamic application analyzers (DASTs). The system analyzes applications written in 34 languages programming or compiled in one of 9 different formats of executable files, including for, and Google Android. Apple iOS Apple macOS
Solar appScreener Release Version 3.6
On July 16, 2020, the company Rostelecom-Solar"" announced the release of an updated version applications of the Solar appScreen 3.6 security analyzer. The system allows testing software for vulnerabilities and NDV to meet the fourth estimated level of trust (OUD4) according to the requirements of the provisions. Bank of Russia
According to the company, at the request of Russian customers, the updated version provides for the possibility of testing applications for vulnerabilities and NDV to comply with the fourth assessment level of trust (OUD4), according to paragraph 7.6 of the national standard of the Russian Federation GOST R ISO/IEC 15408-3-2013. Such testing is relevant for financial customers, since Bank of Russia regulations oblige organizations of this industry to analyze the vulnerabilities of application software used in payment and other financial transactions from July 1, 2020. Solar appScreener users now have access to a report on the vulnerabilities and NDV contained in the application directly in OUD4 format.
The developers implemented support for the Pascal programming language in version 3.6. This language, which is the predecessor of Delphi, underlies a variety of legacy systems actively used by Western organizations for internal needs.
In the 90s of the last century, variants of the Pascal language were widely used to create various software, from research applications to computer games. As of July 2020, the derived Object Pascal language is used to develop some Windows applications. Now, along with Pascal support, Solar appScreener can analyze applications in 34 programming languages. emphasized Daniil Chernov, Head of Solar appScreen at Rostelecom-Solar |
An important step in the development of code scanning automation for vulnerabilities was the closer integration of Solar appScreener with code storage and version control systems (repositories) GitLab, GitHub and Bitbucket. This integration allows the analyzer to independently track the appearance of an updated version of the code in the repository, automatically launch an analysis of parts of the code for vulnerabilities with the possibility of subsequently sending the scan results to the responsible employee. Previously, this functionality required manual configuration, and starting with version 3.6, it is available out of the box. It is worth noting that tracking the appearance of other code in the repository is now implemented not through the CI/CD server, but directly from the repository through push- and tag-events. This tracking method is convenient for companies that do not use CI/CD servers or are being developed bypassing them.
Also in the updated version, a number of improvements were made to improve the convenience and comfort of working with the system. For example, the analyzer interface has an option to create empty projects without scans with the ability to pre-configure integration with repositories for automated code analysis in the future. This function is relevant, for example, in cases where developers do not have time to prepare the code for the completion of Solar appScreener implementation in the company, and the customer would like to start tracking vulnerabilities in the application with a more or less complete version.
In addition, the interface implemented the ability to download event logs (logs). This information is useful, for example, when some error was made when starting the scan and the analysis process was not performed correctly, but the customer cannot understand the reason for it. In this case, the user will now be able to upload the necessary log files from the system in a couple of clicks, and Solar appScreen technical support specialists will be able to quickly fix the error and help start the process correctly.
And for large companies that already use system health monitoring using Prometheus multi-platform analytics tools and Grafana interactive visualization, the support for these monitoring tools implemented in the 3.6 version will be an additional advantage. This functionality is required by customers for whom it is important to have up-to-date information about the state of the analyzer at a particular time: data on the presence of any delays in processes or failures, system workload and performance, etc.
Solar appScreener 3.5 release with support for the Rust programming language
On April 23, 2020, Rostelecom-Solar announced the release of the next version of the Solar appScreen 3.5 application security analyzer. The version provides support for the increasingly popular Rust programming language, as well as integration with the Subversion version control system.
Rust is a general-purpose programming language used to develop various kinds of internal systems, as well as for system programming, in particular for creating operating systems cores. In the stable version, the language has existed since 2015 and is rapidly gaining popularity among developers.
This language is comparable to C++ in capabilities, but at the same time surpasses it in terms of security. It better implements various restriction mechanisms, in particular, when working with memory. Rust is a fairly young language, but recently we have received more and more requests from our customers for its support, so we implemented this feature in the next version, - emphasized Daniil Chernov, Head of Solar appScreen at Rostelecom-Solar |
Solar appScreener 3.5 supports integration with Subversion, a version control system in development, the second most popular after Git. Subversion, unlike Git, is free software, due to which it gained popularity among developers. The next version of Solar appScreener allows you to run the analysis of the application code directly from the link to the Subversion repository.
In addition, version 3.5 implements experimental support, databases PostgreSQL which in subsequent versions is planned to be transferred to the stage of industrial operation. It is also now possible to install the analyzer on a Astra Linux SE certified OS. SMT FSTEC of Russia Both of these capabilities are focused primarily on meeting the business needs of companies in the state field.
The current version is distinguished by a number of noticeable improvements aimed at improving the usability of the analyzer. So, now the language of the Solar appScreen interface is determined automatically depending on the language of the analyzed system and there is no need to switch between languages manually.
Significant changes affected the analysis of configuration files. In previous versions of the system, these files were scanned in a common stream, and separate statistics on them were not displayed. Starting with version 3.5, the configuration files are displayed in separate settings. In the detailed scan results, it became possible to apply a vulnerability filter in configuration files. And in a multi-language application, the results of scans of configuration files are immediately grouped by language - their viewing has become much more convenient.
Often, when scanning code, it becomes necessary to exclude third-party libraries from the scan. Solar appScreener has long had the ability to disable the analysis of borrowed components - the new version significantly expanded the set of libraries defined by the analyzer as third-party.
Solar appScreener Release 3.4
On January 23, 2020, Rostelecom-Solar announced the release of the next version of the Solar appScreen 3.4 application security analyzer. The version is distinguished by an advanced reporting system among all competing solutions, more detailed vulnerability verification and support for the programming language VB.NET Microsoft.
Solar appScreener 3.4 significantly redesigned the navigation and configuration of the reporting system, as well as the content of the reports. The latter are now not a static list of detected problems and errors in the code, as they were before, but a dynamic document with cross-links to detailed descriptions of the discovered vulnerabilities. Thus, if, for various reasons, an information security service specialist cannot provide developers with access to the analyzer interface, the information presented in the report will be enough to quickly eliminate all identified vulnerabilities.
Version users can choose which analysis information to include in the report. Previously, it was possible to filter vulnerabilities (by programming languages, using Fuzzy Logic Engine technology, by the presence of a task in Jira, etc.) only in the Solar appScreen interface. The report also uploaded all the information about vulnerabilities obtained as a result of the scan, without the ability to filter it. Filtering can now be used when generating reports. For example, when working with false positives, you can upload only vulnerabilities with a confidence level of 3 to 5 points on a 5-point scale to the report.
In addition, now the report can include more detailed information about the project being analyzed: the history of all scans, diagrams with statistics of vulnerabilities in different sections, comparison with previous scans, comments on vulnerabilities, data flow diagram and other data.
The revised reporting system, which is available in the next version, is based on the highest priority requests voiced by the users of our analyzer. In the process of improving the reports, we compared similar capabilities of other solutions of this class, available not only to Russian, but also to foreign customers. As a result, we can confidently say that in Solar appScreen 3.4, users will receive the most advanced system for generating the most customized reports on the market, - noted Daniil Chernov, Head of Solar appScreen at Rostelecom-Solar |
Also, at the request of customers, the developers implemented a more detailed vulnerability verification system in the next version. Verification statuses "Confirmed," "Rejected," "Not processed" were added to the user interface (previously it was possible to mark vulnerabilities only as false). Statuses are automatically stored in all subsequent sessions, which greatly facilitates the procedure for verifying vulnerabilities in large-scale projects containing several million lines of code.
In continuation of the strategy to support the widest range of programming languages, version 3.4 provides analysis of applications developed on the VB.NET of the .NET|.NET Microsoft family. This language is most often used to create web and desktop application interfaces. Now Solar appScreener supports the two most used Microsoft application development languages - C# and VB.NET. Total in the arsenal of the analyzer from Rostelecom-Solar at the moment - 32 supported programming languages.
In terms of continuous work to improve the quality of code analysis, file extensions such as.bsp (ABAP language),.pso (Cobol) and several others were added to this version. In particular, this improvement will be useful for large companies using SAP applications, as well as for users of legacy systems, which for one reason or another cannot be abandoned.
2019
Solar appScreener Release 3.3
On October 10, 2019, Rostelecom-Solar announced the release of the next version of the Solar appScreen 3.3 application security analyzer. The update provides support for the Perl and Vyper programming languages, as well as integration with SonarQube, a continuous code quality verification platform.
Perl is a programming language designed to work with reports and used to process large amounts of data. Its support in Solar appScreen 3.3 allows you to additionally analyze the security of CRM systems reporting modules, as well as Know Your Customer systems used in the financial sector, passenger transportation and some other industries. The developers of the analyzer and blockchain technology did not go unnoticed: the updated version, in addition to Solidarity, also supports the Vyper programming language, used as an alternative to Solidarity to create smart contracts for the Ethereum platform.
Solar appScreener not only intensively increases its own functionality, but also actively integrates with other advanced systems designed to improve the security of the developed code. So, in the presented version of the analyzer, it is possible to integrate with the SonarQube continuous code quality verification platform. Solar appScreener 3.3 now provides the platform with data on vulnerabilities found in applications and allows you to supplement this information with the SonarQube report. As of October 2019, the platform's capabilities are used by global brands Siemens, Deutsche Bank, AirFrance, Bosch, Canon, Audi and many others. Among Russian clients are 1C, Alfa Bank, Bank of Russia, Gazprom, etc.
This version has made a significant step forward in the development of application analysis. Code analysis is now available for mobile application executables in all programming languages supported by Solar appScreener when scanning source code (previously only in Java/Scala/Kotlin and Objective-C/Swift). In addition, two more - AAR and EAR - were added to the seven executable file formats supported in the previous version.
The developers also made a number of improvements to the Solar appScreen 3.3 user interface. In particular, the navigation system was redesigned - the transition from tabs to side menu items was made more convenient, the navigation tool "bread crumbs" was added. And in the modified analytics section, you can automatically update project groups and graphs after editing, as well as save the selected project groups for display when updating the page.
Solar appScreener Release 3.2
On July 11, 2019, Rostelecom-Solar released the next version of the Solar appScreen application security analyzer, which now supports 29 programming languages, including the popular 1C application language in Russia. In addition, links to vulnerabilities in the registry of the FSTEC Information Security Threats Data Bank were added to Solar appScreener.
Thanks to the support of the 1C language, the next version of our analyzer can identify vulnerabilities and NDV in the application with which almost all Russian organizations work. "1C. Enterprise. " At the same time, at each specific enterprise, customized configurations of this software are used, which are implemented by numerous 1C partners. In the process of developing modifications and versions, vulnerabilities may be accidentally introduced into the application or the NDV is deliberately embedded , |
In addition, Solar appScreener 3.2 supports the VBA programming language - Visual Basic for applications. This language is embedded in the Microsoft Office product line, including Mac OS versions, as well as many other software packages (AutoCAD, CorelDRAW, accounting and financial programs). VBA is actively used by developers because it allows you to make changes to applications. Now users of the analyzer can check applications on VBA designed for production management, technical support, trade, construction engineering, telephony, data processing, document flow management, financial services, legal support, medicine.
Solar appScreen 3.2 also supports the popular ASP.NET framework, which is actively used in the development of web applications and is based on web services, software infrastructure and the Microsoft programming model. A number of popular high-load applications have been implemented on the ASP.NET.
In addition to supporting 29 programming languages, which as of July 2019 exceeds the capabilities of all competing solutions, in this version users can access links to relevant vulnerabilities in the register of the FSTEC Information Security Threats Data Bank with the ability to upload them to reports. This is important for specialists who work with vulnerabilities in Russian software, since these vulnerabilities may not be present in international registers of vulnerabilities such as CVE (Common Vulnerabilities and Exposures). As well as for security officers involved in the protection of GIS, ISDS and APCS at CII facilities. As of July 2019, the FSTEC Data Bank contains about 22 thousand records, one and a half hundred of which are not presented in the CVE database.
In the direction of development integration with third-party development tools ON , Solar appScreenwriter 3.2 has expanded the list of supported CI/CD continuous integration and delivery services. Now, in addition to Jenkins TeamCity , the solution is integrated Azure DevOps with Microsoft's Server 2019 (formerly Team Foundation Server, or TFS), which is used by thousands of developers around the world.
Solar appScreener Release 3.1
On April 11, 2019, Rostelecom-Solar announced the release of the next version of the Solar appScreen 3.1 application security analyzer. The system now supports 26 programming languages.
Among the added languages adopted in this version is TypeScript and, VBScript which significantly expands the coverage of the segment of web applications available for analysis using Solar appScreener. In addition, the analyzer supports Apex - the language CRM of the system. Salesforce This will allow - Rostelecom Solar to increase sales in foreign markets.
Daniil Chernov, Head of Solar appScreenwriter noted:
{{quote 'In the development of our product, we rely on two fundamentally important components - improving the functionality of the analyzer and improving the convenience of working with the system. Version 3.1, with the support of a number of additional languages, will allow our customers to expand the range of protected applications. With each next version, checking software for vulnerabilities and NDV becomes easier and more efficient. }}
Solar appScreener 3.1 has a number of options for finer customization for the customer's needs. In particular, it is now possible to track changes in areas of code containing vulnerabilities or undeclared capabilities, comparing the results of scans for any period of time (previously, the comparison was available only for the last two scans). This allows full retrospective analysis with understanding when vulnerabilities were discovered and what actions were taken in relation to them. The ability to point a direct link to a section of code greatly simplifies and speeds up the interaction of an information security specialist with the development team, contributing to the prompt elimination of vulnerabilities.
At the request of customers, the analyzer added the option of separating comment roles and editing scan results, since in large organizations only a narrow circle of employees should have the right to edit. Editing scan results allows the customer to filter vulnerabilities that they do not consider critical (for example, hard-to-exploit vulnerabilities, etc.)
Solar appScreener 3.1 continues to refine the appearance and ergonomics of the user interface. In addition, the presented version is easier to integrate into the software development lifecycle due to improved functionality of the plug-in for integration with Jenkins and advanced capabilities for integration with Jira. Also, the system developers have significantly supplemented the database of vulnerability search rules and finalized analysis algorithms to more effectively identify vulnerabilities and further reduce the number of false positives.
Rebranding and release of Solar appScreener 3.0
On January 24, 2019, Rostelecom-Solar announced a large-scale update of its application analyzer for vulnerabilities and undeclared capabilities (NDV). Starting with version 3.0, the product will be introduced to the market under the name - Solar appScreener - instead of the previous Solar inCode. The rebranding is dictated by the technological evolution of the product: the decompilation and deobfuscation technologies implemented in it allow not only scanning the source code, but also analyzing applications in the form of executable files, explained in Rostelecom-Solar.
The key change to Solar appScreener 3.0 is the completely updated system of interaction between the solution and users. Both the graphical interface of the solution and the functionality of the system have undergone significant changes.
With the release of the previous version of the Solar inCode 2.10 analyzer, beta testing of the graphical interface was launched and, as a result, responses and wishes of users on possible improvements were collected. In addition, the company conducted a number of specialized UX/UI tests, as a result of which the ergonomics of the interface were improved - for example, the number of clicks required to access users to system functions was minimized. The user group management page was also completely redesigned: in the presented version, when creating it, you can flexibly configure the rights of the user group, Rostelecom-Solar noted.
According to the developer, the updated interface also has convenient navigation on projects and analysis results, a quick search, a more visual and detailed presentation of statistical information about projects and additional filters for projects, as well as a redesigned administration page. Users who prefer the previous interface will be able to use it until the release of version 3.1.
Changes implemented in Solar appScreener 3.0
According to the developer, Solar appScreen 3.0 has improved the usability of the Fuzzy Logic Engine, which minimizes the number of false positives without missing real vulnerabilities. By increasing the coverage of the vulnerability search rule base in the presented version, you can configure the display of results taking into account the likelihood of a false response.
One of the most important requirements for modern application security analyzers is the ability to integrate into the secure development process. To expand this feature, Solar appScreen 3.0 implements integration with Microsoft Active Directory, which allows you to automatically comply with the company's information security policies and the rights of access of developers and security officers to various information systems. Thus, according to the developer, Solar appScreener 3.0 increases the overall level of corporate information security and reduces the time it takes to manage user permissions.
According to Rostelecom-Solar, due to the updated methods of analyzing the data flow and the method of generating a data distribution diagram for vulnerabilities, version 3.0 of the solution more effectively analyzes the vulnerabilities of applications written in Java, Scala, Kotlin and Java for Android.
The support for the legacy COBOL language implemented in Solar appScreen 3.0 will allow you to check legacy systems for vulnerabilities that cannot be abandoned for one reason or another. COBOL was often used to develop banking applications, and its support was implemented at the request of Rostelecom-Solar customers and partners in foreign markets, the developer noted.
2018
Solar inCode 2.10 version with updated false positive reduction technology
On October 17, 2018, Rostelecom-Solar announced the release of the next version of the application source code security control solution. Solar inCode 2.10 has a built-in advanced Fuzzy Logic Engine that sets the industry standard for dealing with false positives. In addition, the released version launched beta testing of a completely different, completely redesigned solution interface.
Fuzzy Logic Engine is a technological solution of Rostelecom-Solar, created to minimize the number of false positives (False Positive) and skip vulnerabilities in the code (False Negative). It uses the mathematical apparatus of fuzzy logic, which allows you to determine the probability of a false response in the current project, based on the results of past scans. The parameters of the Fuzzy Logic Engine filters are determined by the knowledge base, which is constantly updated based on the results of the projects.
author '= Daniil Chernov, Head of Solar inCode at Rostelecom-Solar. ' The number of false positives and missing vulnerabilities is one of the key performance parameters of any code analyzer, so the technological development of the Fuzzy Logic Engine has a high priority for us. The algorithms laid down in it are the result of many years of scientific development, and a large amount of research is behind each update. This module was implemented in the product back in 2015, but only in 2018 it was possible to seriously improve the technology and release a major update. |
In Solar inCode 2.10, a security officer can configure the display of scan results based on the likelihood of a false response, which significantly reduces the time required to process the report and set tasks for developers to fix errors and vulnerabilities in the code. In addition, the user is able to work directly with Fuzzy Fuzzy Logic Engine filters to achieve even higher accuracy of results.
However, no matter how complex the technology is, Rostelecom-Solar always seeks to present it to the user in a simple and understandable form. Therefore, Solar inCode 2.10 launched beta testing of a fundamentally different, completely redesigned graphical interface, the final version of which will be presented in the next version of the solution. In Solar inCode 2.10, users will see the familiar interface by default, but for those who want to test the future interface and send their responses and ideas, the switch button is implemented.
Solar inCode 2.10 has added rules for searching for vulnerabilities for supported programming languages, especially for Groovy and Kotlin, which were supported in a previous version of the solution. Separately, analysis algorithms were improved when searching for vulnerabilities for C/C + + languages.
To reduce the duration of scanning applications written in JavaScript, Solar inCode has built-in functionality to analyze their composition. The solution defines the external libraries used and allows you to exclude them from the analysis.
Certification of FSTEC of Russia
On September 20, 2018, the company Rostelecom-Solar"" announced the receipt of a certificate FSTEC Russia for Solar inCode, a solution for monitoring the security of source code applications.
The use of certified software is a requirement for government as well as many commercial organizations. According to Rostelecom-Solar, the certificate of conformity No. 4007 issued by the FSTEC of Russia certifies that the Solar inCode solution meets the requirements software for level 4 control of the absence of undeclared capabilities (NDV). Solar inCode is also included in, Unified Register of Russian Programs for Electronic Computers and Databases which allows it to be used in organizations implementing the program import substitution in the field INFORMATION SECURITY of solutions.
The functionality that allows the solution, even without access to the source code of applications, to check them for errors and vulnerabilities using static analysis makes Solar inCode, according to the developer, an optimal tool for monitoring the security of legacy and third-party software. Also, the advantages of the solution include a wide list of detectable vulnerabilities, a low percentage of false positives and support for most modern programming languages.
Release version 2.9
On June 25, 2018, Solar Security announced the release of the next version of Solar inCode, a solution for monitoring the security of source code.
The list of programming languages that Solar inCode 2.9 recognizes and analyzes has been replenished at the expense of Groovy and Kotlin. At the same time, analysis of applications written in Kotlin is possible even without access to their source code.
author '= Daniil Chernov, Head of Solar inCode at Rostelecom-Solar When forming a roadmap for product development, it is very important to monitor trends in software development. Some languages are gradually becoming a thing of the past, others come to their place, and we must quickly respond to the needs of the market. Groovy and Kotlin are application development languages that are now trending and continue to gain popularity, so we have included them in Solar inCode 2.9. In the previous version, support for the Go language was implemented, and in the current release, this functionality was also improved due to a significant expansion of the database of vulnerability scanning rules. |
Another strategic vector for Solar inCode development is support for continuous integration processes and the lifecycle of secure application development. As part of the development of this area, Solar inCode 2.9 implemented the possibility of incremental analysis. Thanks to this, when comparing different assemblies of the application, developers will be able to scan only the part of the code that was added in the latest version. Similarly, Solar inCode 2.9 reports can now only include vulnerabilities that were not previously found in this software. In addition, if necessary, you can exclude standard libraries from scanning, checking only your own code for errors and potential vulnerabilities.
In addition to the OWASP Mobile Top 10 2016, OWASP Top 10 2017, PCI DSS and HIPAA classifications, Solar inCode 2.9 allows you to rank the vulnerabilities found according to CWE/SANS Top 25. This version also contains additional rules for searching for vulnerabilities for supported programming languages, as well as improved, more detailed descriptions of vulnerabilities.
Release version 2.8
On April 19, 2018, Solar Security released an update to the Solar inCode 2.8 application security solution with support for the Go programming language, also known as Golang.
Go support is a feature that has been included in the product roadmap due to the large number of relevant requests from customers. Given the pace at which this language is gaining popularity, I think we will deepen its support in subsequent versions of Solar inCode, - said Daniil Chernov, head of Solar inCode at Solar Security. |
From the first versions, Solar inCode supports Continuous Integration and Secure Application Development (SDLC) tools to automate these processes. As part of the development of this area, Solar inCode 2.8 has built in support for TeamCity, a popular continuous integration server.
Another step towards seamless integration into SDLC was support for the JSON API, implemented in addition to the Command Line Interface. This functionality will allow Solar inCode to be embedded in a number of external systems used as part of the secure development process.
Together, this will allow you to establish a continuous quality control process, automate the verification of the security of software assemblies and reduce the time spent on the entire process, according to Solar Security.
In addition, Solar inCode 2.8 has expanded the list of vulnerability search rules, as well as added their extended descriptions, which will help users who do not have deep technical expertise to correctly interpret the report data.
Release version 2.7
On February 1, 2018, Solar Security announced the release of the next version of the Solar inCode solution with support for static analysis of binary code for mac OS.
The difference between Solar inCode is the ability to static analyze high-level code executable with automatic recovery (.apk-,.jar-,.war-,.ipa-,.exe- and.dll-files). To strengthen this difference, Solar inCode 2.7 implements an application executable analysis module for the macOS operating system (.app extension).
operating systems "The macOS family is the second most common for desktops after, Windows so static analysis of binaries for OS from Apple is an important step in product development. In the coming versions of Solar inCode, we plan to focus on the further development of this functionality. " |
Another difference between Solar inCode is its simple and user-friendly interface. Thanks to the thoughtful logic of user interaction, it is intuitive and does not require additional time to study. The scan is run in two clicks, and the visual presentation of the reports is implemented so that they are informative for the user without software development skills.
"The most convenient interface needs constant development - both in terms of graphic design and ergonomics and simply in accordance with the latest trends in this area. Therefore, we made a number of changes to the Solar inCode 2.7 interface, finalizing the visual solution of project and results pages, quick action buttons, and adding a scan progress bar. " |
Also, Solar inCode 2.7 has added rules for searching for vulnerabilities and improved analysis algorithms when searching for vulnerabilities for Java languages /and Scala Java for. Android
Scan reports can be uploaded according to the OWASP Top 10 2017 vulnerability classification. The vulnerabilities found can be ranked according to OWASP Mobile Top 10 2016, PCI DSS and HIPAA, which simplifies the task of compliance.
2017
Release version 2.6
Solar Security introduced the next version of Solar inCode on October 17, 2017. A key update to version 2.6 was support for the Solidity programming language, which is used to create smart contracts designed to conclude deals within blockchain technology.
Smart contacts are dangerous because the popularity of these tools is ahead of their security, despite the fact that in the event of a successful attack, users may lose real money. Therefore, we consider it important to quickly adapt Solar inCode to the changing needs of the market, "said Daniil Chernov, Head of Solar inCode at Solar Security. |
In addition, Solar inCode is now able to look for bugs and vulnerabilities in HTML5, which allows developers to be confident not only in the present and convenience, but also in the security of created web applications.
The technology for analyzing applications written in C/C + + has also been improved and refined. Source code analysis now supports building projects using Visual Studio, and the vulnerability search rule base has been expanded. The database of vulnerability search rules for the ABAP and Delphi languages has also been supplemented.
At the same time, version 2.6 for the first time implemented the ability to download a project from a local computer as an archive with extensions.7z,.ear,.aar,.rar,.tar.bz2,.tar.gz,.tar,.cpio. As part of increasing the overall usability level, the solution interface has also been further refined.
Another important area - the easy integration of Solar inCode into the Secure Application Development (SDLC) process - has received support in the form of a plug-in to the Jenkins continuous integration server and the ability to track the status of scans by email.
At the same time, scan reports can now be uploaded in accordance with the HIPAA classification of vulnerabilities - in addition to the OWASP Top 10 2013, OWASP Mobile Top 10 2014, OWASP Mobile Top 10 2016 and PCI DSS classifications, which makes it easier for developers to comply with regulatory norms and standards.
Release version 2.4
On July 12, 2017, Solar Security announced the release of version 2.4 of the Solar inCode code scanner.
The developers have improved technology for working with already supported programming languages and added support for the new[1].
Solar inCode 2.4 has expanded the databases of vulnerability search rules for binary C/C + + code (.exe- and.dll-files). The list of supported programming languages has been supplemented by Delphi and ABAP (Advanced Business Application Programming), which is used to develop applications for the SAP platform. ABAP support allows companies to control the level of security of SAP business applications. Solar inCode is optimized for integration into Secure Application Development (SDLC), version 2.4 helps customers improve application security under SAP without changing the usual development and testing processes.
Early versions of the product supported mainly mobile and web application development languages. Gradually, we supplemented this list to expand the pool of solutions that Solar inCode can work with. Serious scientific and technical research is behind such functionality as the ability to scan code in ABAP or binary C/C + + code, and we are glad that they have finally found a practical embodiment in Solar inCode. Daniil Chernov, Solar inCode Head of Solar Security |
The SDLC solution process is optimized to improve automation. Solar inCode 2.4 allows you to compare scan results and track the number of vulnerabilities fixed. This simplifies security control of the developed software and makes working with Solar inCode more convenient and intuitive.
The version has a diagram of the distribution of data (traces) for vulnerabilities/ Java- and Scala- Android applications.
Specifically for mobile application developers, Solar inCode 2.4 implements the ability to upload reports in addition to OWASP and PCI DSS according to the OWASP Mobile Top 10 2016 vulnerability classification.
The Solar inCode 2.4 interface has been improved to be intuitive.
Solar Security follows an ideology according to which even the most complex technologies should be presented to users through simple and understandable interfaces. Therefore, optimization and refinement of the Solar inCode interface is carried out constantly, from version to version. It is very important for us that both the developer and the security officer can use this code security level verification tool with the same ease. |
Solar inCode 2.3
On April 19, 2017, Solar Security announced the release of the Solar inCode 2.3 code scanner. The main features are box integration with JIRA, multi-language application analysis and binary application analysis module in C/C + +.
Solar inCode 2.3 performs static analysis of.exe and.dll files written in C/C + + for the x64 and x86 architectures. This Solar inCode 2.3 functionality will allow the security service to check the level of security of applications used in the company without access to the source code - in cases with the so-called "legacy software" or applications, the development of which was outsourced[2]+ +.
We focus on strengthening the ability to analyze applications without access to source code. The next step in this direction was the static analysis of.exe and.dll files written in C/C + +. We received many requests for functionality from customers, but due to the specifics of the C/C + + languages, it was quite difficult to implement it in the product. It took us a long time to research and develop. Daniil Chernov, Solar inCode Head of Solar Security |
If the application uses multiple programming languages, Solar inCode 2.3 will automatically detect them and scan the application as usual. In this case, the user can choose whether to scan the entire application or only part of the code in a specific language.
Solar inCode 2.3 offers users boxed integration with JIRA. After scanning the application, the user can immediately create a task to fix the vulnerabilities found - through the Solar inCode interface.
This version contains a number of improvements to the existing functionality: Solar inCode 2.3 has new descriptions of vulnerabilities, rules for searching for vulnerabilities for supported programming languages. Algorithms for analyzing data streams when searching for vulnerabilities for the PHP language are also further optimized.
Improvements affected the Solar inCode 2.3 interface.
Solar inCode 2.2
On February 7, 2017, Solar Security announced the release of Solar inCode. The main improvement in this version is dynamic and interactive analysis (DAST/IAST) modules with two modes of operation - fuzzing methods and fuzzing queries.
Now that the product has reached a certain level of maturity, we determine the directions of development based on the needs of our customers. This applies to the list of supported languages, reporting, interface, new technologies, and so on. Despite the complexity of the technologies behind Solar inCode, we are committed, as before, to making the use of the product simple and understandable, including for security professionals who do not always have development experience. Daniil Chernov, Solar inCode Head of Solar Security |
This version has expanded the list of supported programming languages:
- C/C + + (including using OpenMP),
- Ruby,
- T-SQL
- Visual Basic 6.0.
Solar inCode 2.2 includes vulnerability search rules for programming languages supported in early versions - Java, Scala, PHP, Objective-C, Java for Android, JavaScript, Swift, Python 2, Python 3, PL/SQL and C#[3]
Solar inCode 2.2 offers advanced iOS application analysis capabilities. Support for the Swift 3 programming language, integration with the XCode 8 development environment and the Apple Clang 8.0 compiler provide maximum coverage for iOS applications available for analysis, Solar Security emphasized. The iOS app download module from the App Store supports all current versions of the iOS operating system.
Scan results can be uploaded by prioritizing vulnerabilities according to the classification OWASP Top 10 2013, OWASP Mobile Top 10 2014 or PCI DSS 3.2.
In version 2.2, the developers paid attention to the development of analytical tools. The built-in interproject analytics module allows you to group projects together for aggregate information on projects within a group. Statistics are available to users on the number of scans, scan time, number of lines of code, security rating and number of vulnerabilities with a choice of criticality level. All key figures can be presented in the form of graphs reflecting the dynamics of changes.
Since version 2.2, the product is compatible with the CentOS and macOS operating systems.
2016
Solar inCode SaaS
On October 26, 2016, Solar Security announced the withdrawal of Solar inCode from the Software-as-a-Service (SaaS) model.
Solar inCode in cloud format is aimed at companies where the need to verify the security of application code arises from time to time[4].
Solar inCode from the cloud is essentially an enterprise solution in a retail configuration. Companies that do not qualify for standard licenses for a large number of scans have not been able to use our product before. Now we are ready to offer Solar inCode and this category of customers, which will allow us to popularize the technology itself and increase the level of security of Russian companies. |
Solar inCode 2.0 is a technology for checking the security of applications by static analysis, which functions if the verifier has source code and does not have access to it. Solar inCode 2.0 helps identify vulnerabilities and undeclared capabilities in software. The solution is capable of analyzing the most common programming languages, all mobile and most web applications.
Solar inCode 2.0
Solar Security, a developer of products and services for targeted monitoring and operational management of information security, released the Solar inCode update in the summer of 2016, a solution that can check the security of applications by static analysis even in the absence of source code. Solar inCode 2.0 offers an advanced list of analyzed languages, an intuitive user interface, and optimized technologies for identifying vulnerabilities and undeclared capabilities in software.
According to the developers, a large number of changes in this version of Solar inCode are aimed at simplifying the logic of user interaction. The interface design has been redesigned and improved so that interpretation of the data received from Solar inCode no longer requires deep technical expertise from the user.
In addition to programming languages, Java Scala,, PHP Objective C, Java for, Android which were supported in the first version of the solution, Solar inCode 2.0 now analyzes applications written in JavaScript, Swift, 2, Python Python 3, PL/SQL and C#. Thus, the solution covers the most common programming languages and is able to analyze all mobile and most web applications.
To simplify work during regular code checks, Solar inCode 2.0 allows you to edit vulnerability scanning rules and flag false positives. Such training allows you to create developed mechanisms for detecting false positives, as well as identify new types of vulnerabilities and undeclared capabilities.
The Solar inCode interface, in addition to Russian, is now localized into English. In addition, in accordance with the wishes of users, the new version has added the ability to work through the command line. Users can automate the validation of new software assemblies and, as a result, integrate Solar inCode into the Secure Development Process (SDLC). The new version also allows you to differentiate user access to the software so that each developer can control the level of security and the presence of errors only in his part of the project.
"Thefirst version of the product focused on deobfuscation and decompilation technologies, as well as on a reporting system with detailed recommendations for eliminating the vulnerabilities found," said Daniil Chernov, head of Solar inCode at Solar Security. "The second version of Solar inCode, in addition to innovative software analysis methods, offers a simple, convenient and understandable interface, which makes the solution available to the maximum number of users and brings it to new market segments."
2015
Solar inCode release
On October 29, 2015, Solar Security announced the release of a software analysis product.
Application analysis is carried out using the white box method and in the absence of source code. Deobfuscation and decompilation technologies implemented in Solar inCode allow you to restore source code with a high degree of accuracy, even if obfuscating (confusing) transformations were applied to it. To improve the quality of code analysis, four different technological solutions are used, including taint analysis, to reduce the number of false positives - the Fuzzy Logic Engine technological module with author's vulnerability filtering algorithms.
"We can say that inCode is a product in which scientific thought has found its worthy technical embodiment. The development team has three candidates of sciences, two of whom defended their dissertations on code decompilation, so the technologies embedded in the product give a fundamentally new level of its use: both in terms of convenience and in terms of the effectiveness of assessing the security of applications, "said Daniil Chernov, head of inCode at Solar Security.
Solar inCode was created as a tool for security specialists - the product gives detailed recommendations for configuring superimposed security tools (SIEM, WAF, NGFW) that block the exploitation of vulnerabilities until they are fixed. For developers, there are reports describing the identified vulnerabilities with links to the appropriate sections of the code and recommendations for their elimination by making changes to the code, which greatly simplifies development tasks.
On October 29, 2015, Solar inCode allows you to analyze online and mobile applications written in the most popular languages: Java, Scala, PHP, Objective C, Java for Android. The product development plans include expanding the list of analyzed languages: JavaScript, PL/SQL, 1C and C#.
"Recently, the risks of exploiting software code vulnerabilities have increased significantly," said Igor Lyapunov, CEO of Solar Security, "according to our data, which contain JSOC reports, more than 60% of successful cyber attacks targeting external business applications are implemented through vulnerabilities in software. Despite the fact that the topic of application security is quite new, most security professionals understand that the security of information, money, and sometimes entire companies began to directly depend on the quality of the code. "
Solar inCode
As of October 29, 2015, Solar inCode is a static code analysis tool designed to identify vulnerabilities and undeclared capabilities (NDV) in software.
Notes
- ↑ Solar Security introduced a new version of the Solar inCode code scanner
- ↑ Solar inCode 2.3 received integration with JIRA and the application analysis module on C/C
- ↑ A new version of Solar inCode with dynamic and interactive analysis modules has been released.
- ↑ Solar inCode for analyzing application security has become available under the SaaS model