lock icon

Security Scanning

AppMaps contain definitive knowledge of how your application executed at runtime, including which requests it processed, which library functions it called, and how data was handled. That allows AppMap Analysis to instantly scan your AppMaps for security gaps and attack vectors.

Security Issues Detectable by AppMap Analysis

AppMap Analysis can find many security issues in your application, and new flaw detection rules are added frequently. The list below is only a sample of what AppMap Analysis can find, but you can review the full list in our documentation.

Broken Access Control

Broken Access Control issues are now at the top of the OWASP Top 10, and AppMap Analysis can reliably find them in your application.

Authorization before Authentication

Most frameworks make authorization happen correctly after authentication, but there are plenty of circumstances where this can inadvertently get reversed in an application. It is critical that users are only granted access to resources after they've been properly authenticated.

Missing Authentication

Human code reviewers can easily fail to spot a missing authentication call, especially when third-party frameworks are in use. AppMap Analysis knows which functions in popular frameworks represent authentication, and can deterministically identify API calls which get processed without first using them to identify the user.

Logout Without Session Reset

Sessions should always be reset upon logout, allowing server-side data to be cleared out and prevent attackers gaining access to latent private data. Since AppMap Analysis is able to record all the steps taken before, during, and after a session, it can trivially detect if sessions are not reset.

Cryptographic Failures

Recently becoming the second highest item on the OWASP Top 10, cryptographic failures lead to data exposure or system compromise. AppMap records how your application interacts with security libraries and how it handles keys and other sensitive data. If any issue occurs, AppMap detects where and how it happened, allowing you to remedy the flaw before it goes into production.

Secrets in Logs

Most secrets get logged inadvertentently. For example, a framework function for logging API requests might get used in a way that accidentally writes a user's API key to disk as the data gets processed deep within the back-end code.

Since AppMap follows the life of sensitive data while it's recording your application, it can detect if that data gets passed to a logging function. This is a far more reliable way of detecting a logged secret than watching log files for high entropy data, for example. AppMap Analysis shows you both where the secret was generated and where it was accidentally logged.

Unauthenticated Encryption

Unauthenticated encryption methods are vulnerable to attacks that could lead to your data being tampered with, or even decrypted by an unauthorized party.

Authenticated encryption provides both confidentiality and data authenticity, and AppMap Analysis can reliably detect when a secure authenticated encryption method is used.

Deprecated Cryptography Algorithms

Cryptographic techniques must stay ahead of what modern attackers can break, and older algorithms get deprecated each year as the computational power available to attackers increases. AppMap Analysis finds any runtime use of an out-of-date encryption algorithm and highlight exactly where in the code it was called.

Insecure Secret Comparisons

AppMap Analysis detects when secrets are compared at runtime using simple string equality comparisons.

Ordinary string comparison of a string with a piece of secret data can leak information about the secret through timing attacks. This can allow the attacker to significantly speed up brute forcing, turning an intractable exponential problem into a linear one.

Privilege Violations

Attackers can use certain techniques to run high-privilege commands within an application in a variety of ways. AppMap Analysis can detect when these could occur, and offers precise guidance on where and how to fix them.

Exec of Untrusted Code

Since AppMap records the path taken by data through your application, it knows which strings came from user input (for example, as a parameter to an API call). AppMap Analysis ensures that data never gets used within a system execution command.

Deserialization of Untrusted Data

Certain functions are unsafe to use with user-influenced data. For example, the Ruby function `Marshal.load` can deserialize data, but an attacker could craft a malicious payload that executes code shortly after deserialization. AppMap Analysis detects these kinds of issues and highlight not only where the deserialization occurred, but also where the data in question originally came from.

The above rules are only a sample of what AppMap Analysis can detect, and more rules are continually being added.

Instant, Accurate Security Scans

As soon as an AppMap appears in your code editor, it is analyzed for security flaws. Any flaws found are highlighted in your editor almost immediately, linked to the appropriate places in the AppMaps which show where the flaw exists. The source code containing the flaws is highlighted to make it extremely easy to find and fix the security problem.

AppMap Analysis is a next-generation security scanning product. Not only does it work much faster than traditional DAST and IAST tools, it is also able to be extremely definitive in its findings. Legacy tools might find an attack vector in your application, but they don't help you find the exact lines of code where the vulnerability exists. AppMap Analysis pinpoints the exact parts of your application - right down to the lines of code - that need addressing, and why.