All detected security issues are available in real-time when your application is scanned. You can follow the current risk assessment of your application and directly begin to review the first issues - even if the scan is not complete yet.
Our risk heatmap shows the overall security state of your application, based on the severity and quantity of detected security vulnerabilities. These are categorized into critical, high, medium, and low issues in order to prioritize the urgency to review.
Next to a risk classification, RIPS summarizes all detected security issues by leading industry standards. We support the OWASP Top 10 list of vulnerabilities, the CWE classification, and SANS Top 25 list of most dangerous software errors. Additionally, we highlight all associated PCI-DSS compliance requirements for handling credit card data.It is possible to export all data to a customized PDF report, CSV file, or any other format by using our RESTful API. A detailed list of all supported vulnerability types can be found in our analysis section.
For each detected security vulnerability, detailed information about the type of vulnerability in general, as well as the specific occurrence is given. RIPS explains the root cause of the issue and what impact a successful attack can cause. References to industry standards allow to quickly categorize each issue and to find further information.
Additionally, RIPS offers a detailed guide to the solution - even for unexperienced developers. This provides users with reliable information at hand in order to quickly resolve the problem without the need for further research.
When investigating a detected issue, you can update the review status of each vulnerability and add a comment. This helps to prioritize issues and to manage the workflow within your team.
For example, already patched issues can be marked as fixed or currently investigated issues can be marked as in progress in order to avoid duplicate work.
Different audit teams with customized user privileges can be created. You decide which user is allowed to initiate a new scans of an application and who can see and review which analysis results.
The code summary highlights the relevant code lines of an issue in order to make understanding the vulnerability quick and easy. The source of user input is highlighted blue and the sensitive operation affected by it is highlighted red. The vulnerable string concatenation is highlighted yellow and suggests the best place to patch.
Security issues can span over multiple files and functions, making it difficult to keep track of vulnerable code. RIPS summarizes and connects code lines related to the issue and speeds up the process of applying a security patch at the right spot.
Unvalidated input from an application's user is the root cause for almost all security issues in modern web applications. Depending on how this user input is used in which sensitive operation of your application, different types of vulnerabilities can occur.
Our unique context view instantly shows which sensitive operation is affected and how exactly malicious input can tamper its execution. This is extremely valuable to abstract from the affected code lines and to understand the vulnerability's impact.
RIPS analyzes all provided source code without the need of any additional configuration. Optionally, RIPS can be tailored to custom application specifics with comprehensive analysis settings. These include the manual definition of sources, sinks, sanitizers and validators in order to fine-tune the analysis precision.
Depending on PHP's configuration and version, subtle vulnerabilities can occur or are not exploitable. With RIPS it is further possible to specify PHP related settings such as magic_quotes_gpc, register_globals, and the PHP version itself. The RIPS analysis engine is aware of these subtlenesses and acts according to your exact production environment.
Rescan your application to check if the security vulnerabilities were resolved, newly added or still remain in the source code.
Rescanning an application multiple times during the development lifecycle is an important step towards continous integration of static code analysis. You are able to test different analysis settings, test new code, or check if issues were resolved by your team.
Try out the interface features in our demo interface.