Month: July 2018

Comparison of Application Security Testing Approaches

Overview The following table lists a side-by-side comparison of different application security testing approaches. Additional rating details are available when hovering over each column. In the following, each approach is introduced.
Category Automated Security Testing Manual Security Testing Approach Static Application Security Testing (SAST) / Static Code Analysis Dynamic Application Security Testing (DAST) / Blackbox Tools Whitebox / Code Audit Blackbox / Pentest Taint Analysis Pattern Matching Language Specific (RIPS) Language Generic Code Coverage Early Bug Detection Detect Complex Issues Detect Logical Flaws Result Accuracy Remediation Details Initial Costs Setup Costs Verification Costs Remediation Costs

TikiWiki 17.1 SQLi: Scan, Verify and Patch in Minutes

Scanning TikiWiki comes with many built-in features. A manual audit of such a huge code base for security issues would require a tremendous amount of time and expertise. The automated security analysis of TikiWiki’s 1.7 million lines of code with RIPS took roughly 14 minutes. Once the scan finished, a vulnerability of type SQL Injection was reported in the user interface.
By selecting the SQL injection category in the RIPS UI, we can see a summary of the affected code lines (top), an issue description (right), and the original code as reference (bottom).