DerSecur updates DerScanner to help users reduce false positives

DerSecur has updated DerScanner, a solution for monitoring the security of software and information systems. The new version allows correlating the results of static code analysis (SAST) with the results of dynamic code analysis (DAST).

Their correlation will reduce false positives. Thanks to this, DerScanner users’ attention will be focused primarily on validated vulnerabilities and undocumented features, whose elimination is the first priority task.

DerScanner 3.12 provides ability to do dynamic code analysis (DAST) of the application, as well as static code analysis (SAST). With dynamic analysis, vulnerabilities are detected through emulated external attacks.

Based on the response from the application, the system concludes whether it has any vulnerabilities. During static analysis, the program is not executed, but its entire code is analyzed. The advantage of the method is covering more vulnerabilities.

To check the application in the new version of DerScanner, just specify the URL of the application and run the scanning. The user receives a single report based on the correlation of results from two analysis methods.

It reflects vulnerabilities and undocumented features detected during static code analysis, and highlights those ones that have been validated by DAST. As before, the report contains detailed recommendations on the ways to eliminate the detected errors and improve the security of the software being checked.

Daniil Chernov, DerSecur’s CTO, notes: “Previously, software security experts had to manually compare the testing results using separate SAST and DAST solutions. By developing algorithms for correlating the results of the two analysis methods, we have managed to reduce false positives and achieve more accurate results in searching vulnerabilities and undocumented features.”

“This will significantly speed up the processing of vulnerability analysis results obtained from two different tools, SAST and DAST, thereby reducing the burden on engineers responsible for the security of applications and information systems. In the future, we will develop the correlation module by adding other technologies, which will allow us to detect vulnerabilities in software even more effectively,” Chernov continued.

DerScanner 3.12 contains a number of changes made to improve user convenience when dealing with the solution. In particular, the interface now displays the process of uploading files for analysis, which will avoid errors when downloading large projects.

In addition, vulnerability groups management has been improved, so that the user can select any vulnerabilities in the list and change the status/criticality or leave a comment for the entire group.

Additionally, private repositories management has been optimized thanks to integration of auto-rotated tokens and SSH keys from the DerScanner interface.

The update changed the logic of managing report export templates. The system now has an option of creating a global template that is not linked to a specific project. Now users will be able to run scheduled analysis and configure automatic report sending by indicating the addresses of specific recipients.

DerScanner supports 36 programing languages and 9 executable file formats. The new version of the solution has new additional vulnerability search patterns for supported programing languages, expanded rule base for Android, and improved taint analysis for Python and support for Java 17 projects.

In addition, the ability to scan only the source code of the Java application has been added, as well as support for the PHP Symphony framework.