Like the web itself, security scanners are advancing at a fast pace. Here are the top 5 technologies that leading security professionals are applying to stay ahead of the curve:

5. XSS Analyzer

The “classic” black box approach for detecting XSS relies on sending a bulk of tests based on a “cheat sheet” of around a hundred different payloads. This is a reasonable approach for an automated tool, but it isn’t very sophisticated.

Mimicking a human attacker, XSS Analyzer is a learning system that follows a disciplined step-by-step approach. XSS Analyzer learns the defense patterns of an application, and finds ways to defeat those defenses. This allows XSS Analyzer to find vulnerabilities that could never be found automatically before, with higher accuracy and less time.

 4. JSA

Black box scanners are great for testing server-side logic, but what about client-side? 40% of Fortune 500 websites are vulnerable to DOM-based XSS or other JavaScript security risks, which are notoriously difficult to find with traditional approaches. This is where JavaScript Security Analyzer (JSA) comes into play.

In JSA, the black-box scanner fetches HTML and JavaScript content, and passes them on to be statically analyzed. With DAST and SAST working together as part of the same scan, the result is a powerful hybrid analysis that is able to detect a wide range of security issues in JavaScript.

3. F4F

When applying static analysis to modern applications, which are built with frameworks and XML configurations, it is insufficient to have great data-flow and control-flow analysis. There are framework-specific constructs that require customizations to the analysis, without which many issues go undetected.

This is where Framework for Frameworks (F4F) comes into the picture. With F4F, the analysis can take into consideration framework-specific configuration and invocations, converting those into synthetically-generated code. This results in accurately and automatically finding more issues than ever before. That’s what it’s all about, isn’t it?

2. Glass box

An exciting and emerging technology, glass box is all about giving black box scanners visibility into the internals of a running application, usually through instrumentation (also called IAST by Gartner). Agents running on the server side send information to the black box scanner, which helps the scanner provide dramatically improved results.

We believe glass box is the future of dynamic analysis. Watch this short demo to learn more.

1. String Analysis

Imagine a scanner that is able to track individual string values and patterns across your entire program – now that’s smart! The possibilities are endless, from automatically detecting the parts in your code that perform input validation, to eliminating false positives in cases where exploit is not possible.

It takes some serious technology to be able to do that. Luckily, IBM researchers have been working hard to make this technology a reality. String Analysis is probably the most advanced kind of static analysis in existence today, and being used across AppScan products extensively.


What do you think? Are you excited as we are about these innovations? What other capabilities would you like to see in future versions of security scanners? Leave us a comment!

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…