Our unique Code Analysis Approach
Static code analysis algorithms that are dedicated to each programming language.
Background: Static Code Analysis
Static analysis (or static application security testing) is performed solely on the source code of an application without executing it. The complete source code is transformed into an abstract model that is then analyzed for security vulnerabilities. More precisely, taint analysis follows data flow of user input that the application receives across file and function boundaries. If user input is used in a security sensitive operation (such as a SQL query) an attacker could malform this operation and thus a security vulnerability is reported (e.g. a SQL injection vulnerability).
The RIPS Approach
Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs in modern source code can only be accurately detected with a precise simulation of all the code language's subtlenesses, libraries, and pitfalls. After all, these nifty details account for today's security vulnerabilities. Hence, we build RIPS analysis engines for each programming language independently that consider all the language's details for the most accurate analysis possible.
Static analysis has the great advantage that the source code must not be running or be functional so that it can be directly integrated into the development process and detect security issues as early as possible, when the code is written. Further, all issues can be pinpointed to the exact line of code for quick remediation. But not all static analysis solutions work the same and there are also other approaches to test the security of web applications. We summarized and compared all different types of approaches in our blog post.
Analysis Profiles for Ultimate Fine-Tuning
RIPS analyzes source code out of the box without any configuration required. Advanced users can tailor our analysis engines and algorithms to their specific environment to maximize the analysis precision.