DerScanner Detects Vulnerabilities and Undocumented Features in Open Source Projects

DerScanner static code analyzer detects vulnerabilities and undocumented features in Open Source projects (freely distributed software, components and libraries used by developers in their projects). DerSecur team notes that March saw a significant increase in critical vulnerabilities detected in the analyzed Open Source software.

Based on the scan results, the SAST tool highlights vulnerable code providing recommendations on fixing it. The Fuzzy Logic Engine technology helps to reduce the number of false positives and false negatives.

A large-scale Red Hat study found out that 95% of the 950 CIOs surveyed noted the strategic importance of Open Source projects for their corporate software infrastructure.  However, the risk of using open source solutions arises since they are developed by willing contributors, who nevertheless do not guarantee the security of the developed software.

The case of Apache Log4j, a library used by millions of corporate applications and Java servers, is a fine example of the threats posed by vulnerabilities in Open Source solutions. This library’s vulnerabilities allowed attackers to execute arbitrary code on a server or device to steal data or introduce malware.

“Modern software development is impossible without the widespread use of Open Source components. But when Open Source solutions can pose a great danger, the security analysis of freely distributed libraries and applications becomes a prerequisite for their use” said Dan Chernov, CTO of DerSecur. “Since Open Source solutions are developed by a wide IT community, it is possible that under the guise of improvements, attackers can themselves add code fragments with vulnerabilities to particular libraries.”

About DerScanner

DerScanner is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results when compared to DAST. The analyzer can test apps written in 36 programming languages or compiled into an executable file with one of 9 extensions, including those for Google Android, Apple iOS, and Apple macOS.