RIPS

Last updated
RIPS
Developer(s) RIPS Technologies
Operating system Cross-platform
Type Static code analysis

RIPS (Research and Innovation to Promote Security) is a static code analysis software, designed for automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security [1] in May 2010 as open-source software. [2] The open-source version is released under the GNU Lesser General Public License and was maintained until 2013.

Contents

In 2016, RIPS Technologies, a company based in Bochum, Germany, released a rewritten version of RIPS. [3] The closed-source RIPS product was focused on industrial customers. Its analysis techniques were awarded, amongst others, the Internet Defense Prize [4] by Facebook.

In 2020, RIPS Technologies was acquired by SonarSource. [5] The RIPS tool is no longer available as a stand-alone product.

Open-Source Version (PHP)

The open-source version tokenizes PHP code (lexical analysis) based on PHP's tokenizer extension and performs semantic analysis to build a program model. Based on previously analyzed variable assignments, it performs backwards-directed inter-procedural taint analysis of sensitive sinks. This version or RIPS had the ability to scan PHP applications very fast for PHP-specific vulnerabilities. It supports the detection of 15 different vulnerability types, including Cross-Site Scripting, SQL Injection, Local File Inclusion, and others. Detected vulnerabilities are presented in a web interface with the minimum set of affected code lines as well as a vulnerability summary. For each vulnerability, an integrated code viewer can be opened in order to highlight the affected code lines in the original source code, which aids in easier remediation. Furthermore, aid is offered to understand the vulnerability and exploits can be generated automatically. The interface also offers a list of scanned PHP files, user-defined functions, and detected sources. The latest stable release version is 0.55, from 2017. [6]

Commercial Version (Java, PHP, Node.js)

The commercial version supported analysis of PHP and Java code. In order to identify security vulnerabilities that are based on second-order data flows or misplaced security mechanisms, it used abstract syntax trees, control-flow graphs, and context-sensitive taint analysis [7] It could automatically detect 200 different vulnerability types, code quality issues and misconfiguration weaknesses. The commercial version supported all versions of Java (up to 11), PHP (up to 7) and Node.js, industry standards such as OWASP Top 10, ASVS, CWE, SANS 25, and PCI-DSS. RIPS was available as on-premises software and as Software-as-a-Service.

See also

Related Research Articles

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

<span class="mw-page-title-main">PMD (software)</span> Static software analysis tool

PMD is an open source static source code analyzer that reports on issues found within application code. PMD includes built-in rule sets and supports the ability to write custom rules. PMD does not report compilation errors, as it only can process well-formed source files. Rather, PMD is designed to detect inefficient code or bad programming habits, which can reduce the performance and maintainability of the program if they accumulate. It can analyze files written in Java, JavaScript, Apex and Visualforce, PLSQL, Apache Velocity, XML, and XSL.

LXR Cross Referencer, usually known as LXR, is a general-purpose source code indexer and cross-referencer for code comprehension that provides web-based browsing of source code, with links to the definition and usage of any identifier.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

<span class="mw-page-title-main">Coverity</span> American software company

Coverity is a proprietary static code analysis tool from Synopsys. This product enables engineers and security teams to find and fix software defects.

Dynamic program analysis is the act of analyzing software that involves executing a program – as opposed to static program analysis, which does not execute it.

Semmle Inc is a code-analysis platform; Semmle was acquired by GitHub on 18 September 2019 for an undisclosed amount. Semmle's LGTM technology automates code review, tracks developer contributions, and flags software security issues. The LGTM platform leverages the CodeQL query engine to perform semantic analysis on software code bases. GitHub aims to integrate Semmle technology to provide continuous vulnerability detection services. In November 2019, use of CodeQL was made free for research and open source. CodeQL either shares a direct pedigree with .QL (dot-que-ell), which derives from the Datalog family tree, or is an evolution of similar technology.

Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and vulnerabilities in an application. This testing process can be carried out either manually or by using automated tools. Manual assessment of an application involves human intervention to identify the security flaws which might slip from an automated tool. Usually business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual assessments.

<span class="mw-page-title-main">Parasoft</span> Software testing framework

Parasoft is an independent software vendor specializing in automated software testing and application security with headquarters in Monrovia, California. It was founded in 1987 by four graduates of the California Institute of Technology who planned to commercialize the parallel computing software tools they had been working on for the Caltech Cosmic Cube, which was the first working hypercube computer built.

<span class="mw-page-title-main">SonarQube</span> Open-source platform for continuous inspection of code quality

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on 29 programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security recommendations.

<span class="mw-page-title-main">ThreadSafe</span>

ThreadSafe is a source code analysis tool that identifies application risks and security vulnerabilities associated with concurrency in Java code bases, using whole-program interprocedural analysis. ThreadSafe is used to identify and avoid software failures in concurrent applications running in complex environments.

Java code coverage tools are of two types: first, tools that add statements to the Java source code and require its recompilation. Second, tools that instrument the bytecode, either before or during execution. The goal is to find out which parts of the code are tested by registering the lines of code executed when running a test.

Perforce Software, Inc. is an American developer of software used for developing and running applications, including version control software, web-based repository management, developer collaboration, application lifecycle management, web application servers, debugging tools, platform automation, and agile planning software.

<span class="mw-page-title-main">SourceMeter</span> Source code analyzer tool

SourceMeter is a source code analyzer tool, which can perform deep static program analysis of the source code of complex programs in C, C++, Java, Python, C#, and RPG (AS/400). FrontEndART has developed SourceMeter based on the Columbus technology researched and developed at the Department of Software Engineering of the University of Szeged.

CodeSonar is a static code analysis tool from CodeSecure, Inc. CodeSonar is used to find and fix bugs and security vulnerabilities in source and binary code. It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

In computer science, a code property graph (CPG) is a computer program representation that captures syntactic structure, control flow, and data dependencies in a property graph. The concept was originally introduced to identify security vulnerabilities in C and C++ system code, but has since been employed to analyze web applications, cloud deployments, and smart contracts. Beyond vulnerability discovery, code property graphs find applications in code clone detection, attack-surface detection, exploit generation, measuring code testability, and backporting of security patches.

References

  1. "MOPS Submission 09: RIPS – A static source code analyser for vulnerabilities in PHP scripts « the Month of PHP Security". Php-security.org. 2010-05-24. Retrieved 2016-08-10.
  2. "RIPS open-source download". SourceForge.net. Retrieved 2016-08-10.
  3. "RIPS - The Technology Leader in Static Application Security Testing". ripstech.com. 2019-05-07. Retrieved 2019-05-07.
  4. "Internet Defense Prize". internetdefenseprize.org. Retrieved 2017-03-19.
  5. "SonarSource's announcement of acquisition". 13 May 2020.
  6. "RIPS - PHP Security Analysis - Browse Files at SourceForge.net". sourceforge.net. Retrieved 2024-05-05.
  7. "RIPS - Our Static Application Security Testing Approach". ripstech.com. Retrieved 2019-05-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.