Solar appScreener brief description

Purpose

Solar appScreener is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results than when using DAST.

The analyzer can test apps written in 29 programming languages or that have been compiled into an executable file with one of 7 extensions, including those for Google Android, Apple iOS, and Apple macOS. The mobile app code can be tested simply by pasting the app link in Google Play or App Store to the analyzer, which may be considered as full mAST.

Supported programming languages

Programming_languages_bw.png

Supported executable file formats

Formats.png

To detect vulnerabilities and undocumented features, Solar appScreener leverages 10+ analysis methods, including lexical, syntax, semantic, taint, constant propagation, type propagation, synonym and control flow graph analysis. Users can configure analysis settings, exclude some vulnerabilities, or start incremental analysis when only changed code segments are checked.

Detected vulnerabilities and undocumented features are highlighted directly in the analyzed app code, even if found in executables (debug_info file not needed here). It is possible to compare test results of a project while taking account of any changes, which are usually made when writing code, with the relevant notification being emailed.

Solar appScreener employs Fuzzy Logic Engine, which is based on Rostelecom-Solar’s technological know-how and uses fuzzy set and fuzzy logic mathematical tools in order to minimize the number of both false positives and false negatives (vulnerabilities or undocumented features).

Eliminating vulnerabilities and undocumented features requires not only detection, but also the correct description of rules to exploit or fix them. Solar appScreener provides detailed advice on eliminating detected vulnerabilities and undocumented features, describes the ways they can be exploited, and recommends how to configure WAF. The Solar appScreener’s database of vulnerability and undocumented feature search rules is continuously updated by analyzer developers after R&D activities.

To enable Secure SDLC, Solar appScreener can be easily integrated with the Git repository and CI/CD servers, such as Jenkins, Azure DevOps Server 2019 and TeamCity, offering quick analysis for both source and binary codes. The solution can also be integrated with the Atlassian JIRA issue tracking system, which monitors the process of eliminating vulnerabilities and undocumented features. Support for Microsoft Active Directory streamlines control over access to Solar appScreener in cases where multiple developers are present.

For interoperability with other systems and services, the analyzer offers an open API.

Application areas

Solar appScreener is a must if companies need to:

inCode_sm_icon_01.png
Sell goods and services online, provide online banking, personal account functionality, mobile e commerce, and other online services to external users
inCode_sm_icon_02.png
Check apps for vulnerabilities and undocumented features left by developers, even if source code is unavailable
inCode_sm_icon_03.png
Comply with PCI DSS, OWASP, and HIPAA requirements in terms of software code analysis
inCode_sm_icon_04.png
Strengthen the authority and influence of cybersecurity function with regard to both in-house and third-party developers
inCode_sm_icon_05.png
Properly and promptly set up WAFs

Interface

Solar appScreener GUI primarily targets cybersecurity officers rather than developers. The solution offers more intuitive user interaction logic and does not require deep technical knowledge to interpret analytical reports. For this reason, Solar appScreener features a simple and intuitive interface, with analysis being fully automated, thus enabling a user to analyze the app code in just two clicks.

The latest release of Solar appScreener offers easy navigation across projects and analysis reports, more descriptive and detailed statistical information on projects, new project filters, and a dramatically improved admin page. Moreover, the old interface is still one click away.

Russian/English user interfaces are available, with it being possible to easily change operating language at any time.

In addition to Solar appScreener GUI, a command line is also available.



Licensing and supply

Solar appScreener can be either deployed at a customer’s site or provided as a Rostelecom-Solar cloud-based service (SaaS). If the analyzer is deployed on the customer’s servers, licensing is based on the number of users with system access. In the case of SaaS, payment depends on the number of code verifications.

For smaller vendors and companies using custom apps, SaaS is the best solution, because they need app code verification from time to time only. This way, the customer only needs to purchase licenses for the required number of code verifications, upload the code to the cloud via the web interface and wait until the analyzer finishes its work. It is also possible to test code via a secure communication channel using virtual private networks (VPN).


Regulatory compliance

Solar appScreener is ideal for companies focused on compliance with security standards, with users being able to generate a report in line with vulnerability classification adopted in PCI DSS, OWASP Top 2017, OWASP Mobile Top 10 2016, HIPAA or CWE/SANS Top 25, thus dramatically facilitating regulatory compliance.

HIPAAandCo.png

Trial APPscreener

Send request

Solar appScreener

Feel the new decompilation power of SAST

Get first-hand knowledge of
our new products.

Спасибо!
Ваша заявка принята

В ближайшее время с Вами свяжется наш менеджер

Спасибо!

Теперь вы будете в числе первых получать новости о наших продуктах