We are proud to release RIPS 3.2 today with a groundbreaking preview feature: RIPS Automated Patch Generation fixes your vulnerable code lines for the most efficient issue remediation. Our new update also comes with many improvements of RIPS’ PHP and Java analysis engine, usability improvements, as well as with an IDE integration for Visual Studio Code and Eclipse.
Automated Patch Generation
RIPS scans your source code for critical security vulnerabilities fully automated in only a few minutes. But the most time-intense task when securing your application is to research and to write code patches that fix all the detected security problems sufficiently. Particularly when hundreds of issues are detected, developers can get stuck for weeks with patching code and then lose valuable development time.
Our new PatchGen feature optimizes this process and reduces your time to fix drastically. RIPS is now able to automatically propose a patch that can be applied exactly to your vulnerable code line and vulnerability type. With RIPS unique context-sensitive analysis it is possible to receive a patch that is even customized for the exact markup context of each issue to prevent sophisticated attack vectors. As a classical example, RIPS knows exactly if your Cross-Site Scripting context is within a double or single-quoted attribute and which patch protects sufficiently in each context.
Our new PatchGen is currently a preview feature and does not yet provide a copy-paste ready patch for all issue types. But it moves away from generic patch instructions towards easily applied code fixes. It significantly cuts down your time on getting started and implementing a secure patch for the most common vulnerabilities.
Improved Code Summary
Our language-specific taint analysis follows the data flow of user input throughout all code paths and features of your application. When any user input is used in security-sensitive markup, such as HTML, and when it is not sufficiently sanitized before then RIPS reports a security vulnerability (e.g. XSS). Following this data flow in our reports to verify the correct analysis of RIPS can become tricky in complex code bases. Especially when vulnerable language features are used or when faulty input sanitization was applied, a developer might not see the security problem right away and misinterpret the result.
We added additional highlights to our code summary that further help to pinpoint the root cause of each issue. For example, next to our highlights of user input, markup concatenation, and security-sensitive operations, we now also underline the exact variables to not lose focus in code lines with several variables. Additional, we raise pitfall warnings whenever RIPS detected an insufficient patch or language-specific trick that can be abused by attackers. For example in the picture above, sanitization was applied insufficiently.
Visual Studio Code IDE Integration
With RIPS 3.2 we release our new integration plugin for Visual Studio Code. VSCode is an open source IDE developed by Microsoft and is one of the most popular editors used for PHP and Java application development. Our security plugin enables to start new security scans of freshly developed code directly out of the VSCode IDE. The source code is then analyzed with RIPS for security vulnerabilities. All detected security issues can be directly reviewed within the editor and coordinated with other developers. This allows to relate security findings to your source code efficiently and to apply patches as early as possible in the development lifecycle.
Eclipse IDE Integration
Similar to our Visual Studio Code plugin, we also release a new integration plugin for Eclipse. Eclipse is most commonly known as an editor to develop Java applications, but it also supports other programming languages. Our new integration plugin allows to equip Eclipse with the security analysis power of RIPS. You can start new scans from within Eclipse or load all detected security issues from other scans directly into your IDE.
Improved Framework Support
For improved vulnerability detection in framework-based code we added more specific support for popular frameworks to our analysis engines. This enables RIPS to perform the most precise data flow analysis and to overcome static analysis challenges, such as routing or templating.
- Added Blade template support
- Added specific Guzzle support
- Improved Symfony support
- Improved Laravel support
- Improved Typo3 support
- Improved Oxide support
- Added JSP tag library support
- Added specific Stapler support
- Added specific Retrofit support
- Improved Struts2 support
Many other great improvements were added in RIPS 3.2. For example, we improved the administration of RIPS with a new installer, extended our LDAP integration, added a kill switch for scans, and a health check to supervise your server.