RIPS

RIPS (Research and Innovation to Promote Security) is a static code analysis software for the automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security[1] in May 2010 as open-source software.[2] The open-source version is released under the Lesser GNU General Public License and was maintained until 2013.

This article is about the software. For other uses, see rips (disambiguation).
RIPS
Developer(s)RIPS Technologies
Operating systemCross-platform
TypeStatic code analysis

In 2016, RIPS Technologies, a company based in Bochum, Germany, released a rewritten version of RIPS.[3] The new RIPS product overcomes the limitations of the open-source tool[4] and is more focused on industrial customers. Its analysis techniques were awarded, amongst others, the Internet Defense Prize[5] by Facebook.

In 2020, RIPS Technologies was acquired by SonarSource.[6] The RIPS tool is no longer available as a stand-alone product.

Open-Source Version (PHP)

The open-source version tokenizes PHP code (lexical analysis) based on PHP's tokenizer extension and performs semantic analysis to build a programme model. Based on previously analysed variable assignments, it performs backwards-directed inter-procedural taint analysis of sensitive sinks. Its strength is the ability to scan PHP applications very fast for PHP-specific vulnerabilities. It supports the detection of 15 different vulnerability types, including Cross-Site Scripting, SQL Injection, Local File Inclusion, and others. Detected vulnerabilities are presented in a web interface with the minimum set of affected code lines as well as a vulnerability summary. For each vulnerability, an integrated code viewer can be opened in order to highlight the affected code lines in the original source code for easy remediation. Furthermore, help is offered to understand the vulnerability and exploits can be generated automatically. The interface also offers a list of scanned PHP files, user-defined functions, and detected sources. The weaknesses of the open-source version are false positives due to the lack of an abstract syntax tree or control-flow graph. The lack of support for object-oriented PHP code can lead to false negatives. The latest stable release version is 0.54.

Commercial Version (Java, PHP)

The commercial version supports the analysis of PHP and Java code. It was built from scratch and leverages new code analysis techniques that are specifically tailored to the intricacies of each programming language and its features. It uses abstract syntax trees, control-flow graphs, and context-sensitive taint analysis in order to accurately identify even complex security vulnerabilities that are based on second-order data flows or misplaced security mechanisms.[7] Further, it simulates each language's built-in features, libraries, and frameworks to minimise false positives. It supports the automated detection of over 200 different vulnerability types, code quality issues and misconfiguration weaknesses. RIPS found critical security issues in popular open-source projects, including WordPress, Joomla, Magento, phpBB, Moodle, and Roundcube.[8] Contrarily to the open-source version, the commercial version supports all versions of Java (up to 11), PHP (up to 7) and Node.js, industry standards such as OWASP Top 10, ASVS, CWE, SANS 25, and PCI-DSS, and can be integrated into the software development life cycle. RIPS is available as on-premises software and as Software-as-a-Service. .

See also

References
  1. "MOPS Submission 09: RIPS – A static source code analyser for vulnerabilities in PHP scripts « the Month of PHP Security". Php-security.org. 2010-05-24. Retrieved 2016-08-10.
  2. "RIPS open-source download". SourceForge.net. Retrieved 2016-08-10.
  3. "RIPS - The Technology Leader in Static Application Security Testing". ripstech.com. 2019-05-07. Retrieved 2019-05-07.
  4. "RIPS Feature Comparison". SourceForge.net. Retrieved 2017-03-19.
  5. "Internet Defense Prize". internetdefenseprize.org. Retrieved 2017-03-19.
  6. "Twitter announcement of acquisition".
  7. "RIPS - Our Static Application Security Testing Approach". ripstech.com. Retrieved 2019-05-07.
  8. "Vulnerabilities detected by RIPS". ripstech.com. Retrieved 2017-03-19.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.