The new version of DerScanner with SCA

The new version of DerScanner code analyzer features a software composition analysis module

DerSecur has released an update of its comprehensive security monitoring software solution DerScanner, combining static (SAST) and dynamic (DAST) code analysis capabilities. Version 3.13 adds a Software Composition Analysis (SCA) module. SCA can accelerate the detection of vulnerabilities in third-party software components when using open-source libraries. With SAST and DAST in place, DerScanner now combines the capabilities of the three key types of analysis, providing comprehensive application security control. In addition, version 3.13 introduces the ability to automatically start tasks in Jira based on scan results, significantly extends the vulnerability search rules base for some programming languages, and makes a number of other changes.

"Open source applications and libraries have become one of the most urgent threats to information security over the past year," says Dan Chernov, Chief Executive Officer of DerScanner – According to the Linux Foundation, 70% to 90% of today's applications contain open source software, and vulnerabilities in third-party components open up great opportunities for attackers. Just think of the story of the discovered vulnerability in the Apache Log4j library, which is used in millions of enterprise applications. In addition, there has been an increase in the deliberate introduction of malicious code into Open Source. This is why it is very important today to check for vulnerabilities not only in your own code, but also in third-party components."

SCA already contains data on specific versions of open-source libraries and vulnerabilities in them. By not having to analyse the code from scratch, the processing speed is increased. The system will automatically detect all third-party components and provide a complete list of dependencies and vulnerabilities in them. The software composition analysis implemented in the new version of DerScanner can be run on the homepage, as can the code checking with static and dynamic analysis. The search is performed using several sources – the largest vulnerability databases and its own database, which is regularly updated by DerSecur experts. The use of SCA prevents threats and reduces the information security risks that arise from code borrowing. Thus, DerScanner now provides comprehensive software security monitoring using three key types of analysis (SAST, DAST and SCA) in a single interface. And to minimize false alarms, it uses its own unique Fuzzy Logic Engine technology. 

DerSecur experts have also added support for OWASP MASVS vulnerability classification and updated the supported PCI DSS version from 3.2.1 to 4.0. The base of vulnerability search rules for Java and C# has been significantly expanded, as well as new vulnerability search patterns for a number of programming languages have been added. DerScanner remains the world leader in the number of supported languages – today there are 36. The scanner automatically detects the language in which the code is written, and can also check programs written in several languages at once.

DerScanner 3.13 has also introduced a number of changes to improve the user experience. In particular, it is now possible to manage the scanning queue. When running an analysis, you can now assign a scan priority and monitor the queue on a new page under 'Projects'. In addition, interactive hints now appear when you log in for the first time.

Another change concerns the LDAP user logic. It will now be easier for the DerScanner administrator to control access to the system for those employees who connect to it via this protocol, and track the number of users that are allowed under the existing licence.

The new version of DerScanner can automatically create tasks in Jira based on scan results. This functionality simplifies the work of security officers in companies that implement the solution into secure development processes. DerScanner's extensive capabilities allow it to be integrated with repositories, development environments, bug tracking systems and CI/CD services. Maximum automation and continuity of the vulnerability detection and mitigation process is now a necessity for software companies.