Our unique Approach
Static code analysis algorithms dedicated to each programming language.
Background: Static Code Analysis
Static analysis (or static application security testing) is performed solely on the source code of an application without executing it. The complete source code is transformed into an abstract model that is then analyzed for security vulnerabilities. More precisely, taint analysis follows data flow of user input that the application receives across file and function boundaries. If user input is used in a security sensitive operation (such as a SQL query) an attacker could malform this operation and thus a security vulnerability is reported (e.g. a SQL injection vulnerability).
The RIPS Approach
Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs in modern source code can only be accurately detected with a precise simulation of all the code language's subtlenesses, libraries, and pitfalls. After all, these nifty details account for today's security vulnerabilities. Hence, we build RIPS analysis engines for each programming language independently that consider all the language's details for the most accurate analysis possible.
Comparing Code Scanning Approaches
During static analysis, the source code of an application doesn't have to be running, functional, or even complete. Code can be analyzed for vulnerabilities and security risks while the application is being developed. Developers can, and should, scan the code continuously throughout the software development lifecycle. This way, they can discover code vulnerabilities as early as possible, while the code is being written. All security issues discovered can be pinpointed to the exact line of code for quick remediation. For more information on static analysis solutions, please read our blog.
Analysis Profiles for Ultimate Fine-Tuning
RIPS allows you to analyze source code straight out of the box without time consuming configuration. Advanced users can tailor our analysis engines and algorithms to their specific environments to maximize code analysis precision.