RIPS performs static analysis and scans source code for security issues. Currently, RIPS supports the PHP programming language in all versions (3-7).
Static Code Analysis
Static analysis is performed solely on the source code of an application without executing the application. The complete source code is transformed into an abstract model that is analyzed for security vulnerabilities. More precisely, RIPS uses taint analysis to analyze the data flow of user input that the application receives. If user input is used in a security sensitive operation (e.g. a SQL query or a file path) an attacker could malform this operation and thus a security vulnerability is reported (e.g. a SQL injection or path traversal vulnerability). The data flow of user input it traced throughout the complete code base, including all files, functions, classes, and methods. The outcome is an efficient analysis of 100% of the code regardless of the applications running environment or completeness. Static application security testing (SAST) tools should be part of necessary code testing and review processes, so that security issues can be detected and remediated as early as possible. This allows code developers and security analysts to ensure complex security vulnerabilities do not remain undetected in the source code.
How RIPS works
You can find insights about how our analysis engine works in our blog post:
How RIPS compares to other solutions
You can find insights about how we compare our analysis engine to other approaches in our blog post: