1. Application Inspector — PRODUCT BRIEF
Simplify Compliance and Control Security
HIGHLIGHTS
• Achieve a high-level of assurance
through our innovative use of SAST,
DAST and IAST
with automatically generated
vulnerability exploits
vulnerabilities and not code errors
• Standardize security across multiple
languages and platforms including
web, mobile and ERP
• Improve security by integrating with
• WAF and IPS
Today, most organizations rely on network and web-based applications
for everything from business process management to cloud-based file
sharing and storage services. Likewise, mobile applications are lurking
just around the corner, poised to change the enterprise landscape,
yet again. However, in a rush for higher profits, most companies have
overlooked the underlying danger that these types of applications
pose. According to Verizon’s 2013 Data Breach Report, almost one in
three cyber-crime and cyber-espionage attacks were initiated using
application vulnerabilities as attack vectors. Additionally, the scientists at
Positive Research recently found that 50% of online banking applications
can be exploited to gain unauthorized access to corporate networks and
data and to make fraudulent transactions.
More than a decade of research and practical knowledge from auditing over
1,000 unique applications has gone into Application Inspector — a single,
user-friendly solution which allows you to quickly find and fill security holes
within your applications.
Resolving vulnerabilities swiftly and efficiently is critical — you can’t afford to
spend time chasing false alarms. Application Inspector’s intelligent scanning
engine finds true vulnerabilities while ignoring sourse code programming
errors — drastically reducing the number of potential false positives.
In contrast to other source code analysis products, Application Inspector is able
to examine software that is written in multiple languages; for example an ASP.
NET web application with an HTML 5.0 and JavaScript frontend that uses SQL
databases.
By automating the entire process, Application Inspector eliminates the
difficulties with application security assurance — slashing your compliance
costs and putting you in control of your enterprise security posture.
Know Your Risks - Instantly
Notasecurityexpert? Don’tworry.Ourautomationquicklyshowsyouhow
vulnerabilitiesinyourcodecanbeexploited—savingyoufromhavingtotracethe
logiconyourown.WhenApplicationInspectordetectsavulnerability,itautomatically
generatesanexploitvectorsuchasanHTTPorJSONrequest; demonstratingthe
weaknessandhowitcouldbeusedtoattackyourbusiness.
Discoveringvulnerabilitiesearlyinthedevelopmentprocesswillobviouslyhelpto
ensureahigher-levelofsecurity,sowe’vedesignedApplicationInspectortointegrate

2. Application Inspector — PRODUCT BRIEF
Achieve a High-Level of Assurance
Most legacy source code analysis products use either Dynamic Application
Security Testing (DAST) - which assesses the security of applications while they
are running – or Static Application Security Testing (SAST) – which, by contrast,
looks at application source code. More recently, Interactive Application Security
Testing (IAST) has appeared, as some vendors attempt to combine DAST and
of DAST, SAST and IAST at appropriate stages of analysis – delivering the
abstract interpretation, Application Inspector provides code and API coverage
and faultsafe assessment similar to SAST tools. Its built-in multi-language tracing
engine provides IAST-type analysis for complex cases and the unique exploit
generator yields results that are easy to understand.
About Positive Technologies.
Positive Technologies is at the cutting edge of IT Security. We are one of the top ten worldwide vendors of Vulnerability Assessment systems
detecting and managing vulnerabilities in IT systems. Positive Technologies puts research at the heart of our operations, to ensure our products
Unify Security Under A Single Solution
Security is only as good as the weakest
link; that’s why Application Inspector
allows you to secure a broad range of
applications including:
•Network and Web Applications —
languages such as .NET, Java and PHP
•Mobile Applications — Android and
Windows Phone 8
•ERP Systems —l anguages such as ABAP/
Java/ PL/SQL for SAP and Oracle EBS
Additional Features
•Advanced pattern detection analysis
discovers recurring vulnerabilities/
backdoors with similar business logic
and syntax
•Detects well-disguised vulnerabilities
by monitoring for their symptoms
•Works with many technologies
including: Java (Java SE, Java for
Android, JavaEE, Java Frameworks),
.NET (MSIL), SQL (SQL 92, PL/SQL,
T-SQL), PHP, Web Technologies (HTML
5, JavaScript, VBScript, JSON/XML-RPC),
XML (Generic, XSLT, Xpath, Xquery) and
•Detects a wide variety of attacks and
vulnerabilities including: SQL injection,
Cross site scripting, Object injection,
HTTP response splitting, XPath
injection, LDAP injection, Expression
Language Injections
•Can be installed on a single machine or
network server. Also available as a SaaS
solution
•Integrates seamlessly with Positive
Technologies MaxPatrol and
Application Firewall products
Application Inspector in action
L
Vul
A
=
anguage Database
nerabilities Database
pplication Source Code Static Analyser Dynamic Slice
Dynamic Analyser
Exploit Generator Reports
Positive Research
Vulnerabilities
Vulnerabilities
Highlight Code
www.
Exploits
EMEA@ptsecurity.com / www.ptsecurity.com / www.maxpatrol.com