Home » General Security » New SAST Tool – solaredappscreener

New SAST Tool – solaredappscreener

I recently tried new static application security testing solution – solaredappscreener.com. It was quiet an interesting experience. I created a trial account on the demo website and immediately fell into the product UI. I was able to scan 2 applications in terms of my trial, but wish I could have tried more of a variety to see how well the application responds. I was only able to do 1 php and 1 java application.

The product itself offers different options for scanning apps for vulnerabilities:

  • any app directly from Google Play, AppStore or Github repository (I’ve used the last one option) by copy & pasting the url link.
  • uploading zip app file across the following list of languages: Java, Scala, Java for Android (even for bytecode), Objective-C, iOS binaries, PHP, JavaScript, C#, Python, C/C++ (as well as for binaries), Visual Basic, Delphi, ABAP, Ruby, HTML 5

As a result I got 3 options of vulnerabilities reports: UI report with exact number of line of code and found vulnerability, exported pdf file and diagram.

These are 2 examples of what APPscreener found:

From a scan I ran on wordpress core (using weak encryption is a known ongoing issue in wordpress):

 

The other scan I ran against the OWASP web Goat project – knowing it should have tons of vulnerabilities. I guess one of the issues with the scanner is that it currently doesn’t have multi-procedural taint analysis built into it yet but it sounds like their team is working on hopefully having that worked out sometime after December.  I was hoping to see more vulnerabilities in the results for this app.

 

Though tool showed some amount of false positives, it was pretty simple to use and fast to start. If you quickly need to run some static application security testing – go try it out. Moreover, vendor promised that tool can decompile binaries and reconstruct vulnerable source code automatically but I didn’t really get a chance to try that out.