Solar appScreener is a static application security testing (SAST) tool capable of detecting vulnerabilities and undocumented features, including hardcoded passwords. Solar appScreener covers 36 programming languages (#1 on the market) and provides binary static analysis (9 extensions of executable files). Solar appScreener does not require any profound technical skills. A user receives detailed descriptions of revealed vulnerabilities and undocumented features, as well as recommendations on how to configure web application firewalls (WAF). Open API and integration with main repositories, CI/CD servers, SonarQube and Atlassian Jira allow Solar appScreener to be easily embedded in the Secure Software Development Lifecycle (SDLC).
Executable file analysis
Binary code decompilation and deobfuscation technologies enable Solar appScreener to analyze executables, including those for Google Android, Apple iOS, and Apple macOS. To check a mobile app, a user just needs to copy a relevant Google Play or App Store link to the analyzer in order to see analysis findings based on the reconstructed source code.
Vulnerability detection
Vulnerabilities are detected using search rules once the Fuzzy Logic Engine completes analyzing and stops running. SCA technology can help reveal vulnerabilities in not only a company’s in-house code, but also freeware and third-party library components.
Undocumented feature detection
Solar appScreener has algorithms for the automatic search for undocumented features. These algorithms are based on our own permanently updated knowledge base. Undocumented features are detected by their basic structures, such as hard-coded accounts, hidden network activity, time bombs, etc. The presence of such basic structures may point to a more complex backdoor in the app.
Checking legacy and custom software
The binary code deobfuscation and decompilation functionality of Solar appScreener enable the detection of vulnerabilities and undocumented features in legacy and custom apps, including those interacting with third-party components used to reduce development time (such as freeware, pre-written codes from Internet, modules, and libraries).
Comparing check results
Solar appScreener can compare the results of completed checks and generate various diagrams to vividly show how vulnerabilities or undocumented features are emerging and eliminated, including breakdown by project group. In addition, the system takes into account typical code writing changes, while also monitoring vulnerabilities or undocumented features under the same project, thus making it possible to control their elimination.
Report export
Along with the user-friendly dashboards, Solar appScreener offers a flexible PDF report generation system. Reports are generated automatically with content being configured by the user. Reports can be exported as per vulnerability classification adopted in PCI DSS, OWASP Top 2017, OWASP Mobile Top 10 2016, HIPAA or CWE/SANS Top 25, while flexible configuration of multiple report fields using JSON/CSV is also supported.
Developer access control
To improve information security, developers’ access to Solar appScreener can be segregated. Also, support for Microsoft Active Directory streamlines access management in the case of multiple developers.
Preparing recommendations
for software developers
Developers are keen to deliver projects promptly and with minimum corrections. Solar appScreener reports contain detailed descriptions of vulnerabilities and undocumented features, links to vulnerable parts in the app code, and recommendations on correcting the code to eliminate the vulnerability.
for cybersecurity officers
Cybersecurity officers need the most detailed information on detected vulnerabilities and undocumented features. Solar appScreener provides reports with detailed descriptions of detected vulnerabilities, undocumented features, and their methods of exploitation, as well as recommendations on configuring Imperva, ModSecurity or F5 WAFs.
Issue tracking systems
Since the basic version of Solar appScreener includes integration with Atlassian Jira, vulnerability elimination tasks in Jira can be started and task progress can be tracked directly from Solar appScreener interface. In addition, any other issue tracking system can also be supported.
Integration into development process
Solar appScreener supports
- repositories: Git and Subversion;
- VCS hostings: GitLab, GitHub, Bitbucket;
- IDEs: Eclipse, IntelliJ IDEA and Microsoft Visual Studio;
- Build tools: Xcode, CMake, Microsoft Visual Studio, GNU Make, GNU Autotools, Gradle, sbt, Maven;
- platform for continuous inspection of code quality SonarQube
- servers: Jenkins, Azure DevOps Server 2019 (previously — TFS) and TeamCity CI/CD.
Thus allowing the user to establish quality control, automate new software build verification, reduce time spent, and implement Secure SDLC. An open API provides powerful capabilities for additional integration. To improve cybersecurity, developers are granted different access rights.
