Changelog

Roadmap September-October-November 2022

Dynamic Analysis Setup: The

Roadmap September-October-November 2022

The roadamp for the next 3 months has 3 focuses

Improve integrations adding support for the ServiceNow, Jira Broker, Azure DevOps CI/CD and CircleCI CI/CD
Add IP Whitelisting, Action Auditing and SAML-managed access control
Improve Dynamic Analysis with collection of call functions in the Analysis Environment and capture it in a flamgraph.

June-July-August 2022

Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
:Ability to search applications on the store by country.
Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.

March-April-May 2022

New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
Add support for using Chrome Recorder script for Authentication
Add support for CRON based monitoring with defined schedules
Github Actions integrations
Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
Performance and resilience improvement to Ostorlab Agent Builder

November-December 2021 / January-February 2022

Improve detection of Flutter and React-Native vulnerabilities
Add detection of several new classes of vulnerabilities, including Log4J
Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment
Adding Ostorlab Agent store to easily access and publish scan agent
New agent-group definition to define composable scan agent
New agent-group UI builder and YAML definition file generation
Automated agent builder from repo that automatically detects and builds new releases
New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
Open-Sourcing Ostorlab knowledge base
Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
Improve account security with OTP (One-Time-Password) support
Add integrations portal to configure newly support integrations
Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
Add SAML-based authentication for SSO enterprise access

September-October 2021

Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
New dashboard offering a glass box view into security posture and urgent tasks
Management of patching and priority policies with SLO and tools to track and measure fix performance
3rd Party integrations with Jira
Add Ticket timeline to with dynamic setting of start and end time
Add grouping of ticket by status, priority and tag
Add Ticket bulk edit mode

August 2021

Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.

An all improved Monkey Tester with highly improved code coverage
UI Call coverage visualisation to understand what has been done

July 2021

Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:

Adding support for multiple strategies to Monkey Tester
Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
Scale search indexing infrastructure to handle the increase in covered assets

June 2021

Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
Tweaks to the JDWP Android monitor for coverage and performance.
Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).

Mai 2021

API traffic improvement and bug fixes
Multiple performance and enhanced result for the new search feature
New dynamic instrumentation engine for iOS based on LLDB
Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
Enable backtracing of dangerous API to track their usage
Support of credential authentication in Web Scan
Improved Web Crawling to support mutated html

April 2021

New rules to detect insecure javascript patterns and new insecure secret usage.
Add search, tagging and call trace of extern functions, like JNI.
New scan search capability to search across all analysis asset types.
API traffic IDE capability.
API to persist taint graph from scan.

March 2021

Fixes to the Analysis Environment indexing to enable code and file search
Deprecate Free+Analysis scan type in a revamp of the analysis environment
Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
Support for tagging of native function in IDE
Add multiple new sinks methods
Remove false positive in detection of RSA/ECB weak encryption
Bug fixes to taint analysis leading missing detections
Detection of valid Sendgrid API keys
Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
Detection of insecure Zip leading to path traversal arbitrary file overwrite
Fix Twitter API detection

February 2021

Alpha Release of the Web Scanner
Release of Chrome-powered Crawling
Release of Black-box Tree Fuzzer
Release of XSS Detector powered by full-context coverage polyglot payloads
Proxy agent persists and collects HTTP requests
Analysis environment HTTP request and response navigator
Real Time indexing of knowledge Base and Analysis environment for enhanced and fast search
Automated Purge of old community scans
Detection of Dependency Confusion

January 2021

Switch API encoding from JSON to UBJSON to add support for binary format
Analysis Env javascript formatting
Analysis Env detection of new file formats
Analysis Env call trace node coloring to match function and method tagging
Multiple bug fixes and performance optimization of the Analysis Env
Support for sharing report access using a shareable link
Add edit mode to vulnerabilities to change risk rating or mark as a false positive
Detection of new secrets keys and dangerous functions

November, December 2020

Release of Android and iOS application analysis environment
Analysis Env support for APK and IPA file listing with content access
Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
Analysis Env support for Binary plist extraction
Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
Analysis Env support for Macho and ELF string listing
Analysis Env support for DEX classes listing
Analysis Env support for DEX smali listing and java decompilation
Analysis Env support for Android resource extraction
Analysis Env support for Android manifest extraction
Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
Analysis Env support for Dangerous functions tagging to identify security hotspots.
Analysis Env support for Contextual call trace generation.

October 2020

Release of continuous application monitoring from the store
Detection of weak Bluetooth connection
Detection of dynamic broadcast receiver with no permissions
New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
Email and UI notification to inform of key events (scan completion, password change ...)
Expose API key generation and management from the UI

September 2020

Release of Ostorlab lighthouse continuously scanning public applications
Release of Ostorlab VulnDB UI to access internal known vulnz database
Vulnerability tagged as affecting security and privacy, security only or privacy only
Detection of several privacy settings in Android manifest
Detection of facebook SDK debug mode
Detection of GPS location tracking impacting privacy
Fix insufficient sink default taint and missing propagation for Array and Const

August 2020

Store search and scan feature
Deep 3rd party dependencies fingerprinting
Markdown vulnerability text and description support

July 2020

Extend 3rd party dependencies rules
Creation of database of unreported vulnerabilities

June 2020

Report libraries and 3rd party dependencies
Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
Detect calls to dangerous Bluetooth API

May 2020

Exposure of CVSSv3 score
Alpha support for UI Automation rules
Add Xamarin decompiled source code to the list of artifacts
Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

April 2020

Add generation of executive summary PDF report
New Secure risk rating to denote secure implementation
New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
Add support for archiving scans
Add support for exporting scans
Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
Enhance performance of taint analysis and increase coverage
Enhanced representation of taint information
Enhanced representation of stack traces collected in dynamic analysis
Fix inconsistency in risk rating
Fix false positive in iOS detection for missing ARC and Stack Guard protections

March 2020

Support for streaming API to create and stops scans
Subscription support
New KB entry for Webview LoadURL injection
Bug fixes to JDWP Hooking engine
Dashboard update showing scan plan
Support for stopping and archiving scans

February 2020

API for scheduling rules
Migration to Kubernetes
Initial support for streaming API to create scans

January 2020

API to manage Inventory (mobile apps, urls, domains, ...)
UI to list, create and update Inventory and Assets
CI/CD pipeline integration
Deprecate old UIs

December 2019

Release of the alpha version of the new reporting front end
API naming fixes
Fix submission of the test credentials
New Google Play client to support scanning from the Play Store directly
Several New APIs move to GraphQL (Account and Password Management, Artifcats)
Worker to handle long-running jobs (PDF generation and Scan Export)

November 2019

Progress on the new reporting front end
Bug fixes in public website
Simplified pagination support in all APIs
Experimental API to create Web Scans

October 2019

Release of an open source Android application to benchmark vulnerability scanners
Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
Progress on the new reporting front end

September 2019

Release of a new documentation website docs.ostorlab.co
Release of a new website www.ostorlab.co using material design

August 2019

Major migration of all existing infra and data to the new backends.

June 2019

Infra refactoring into a micro-service architecture.
Separation of user portal and public website to prepare moving to serverless.
Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.

Mai 2019

Refactoring of API adding support for GraphQL.
Migration of website, user portal and orchestrator to GraphQL.

April 2019

Extending vulnerability test bed.
Add support for template injection of 4 new Java template engines.
Add support detection of Ruby code injection.
Add support detection of Node.js code injection.

March 2019

Multiple bug fixes and performance enhancements.
Fix false positive detection of Template Injection.
Add support detection of python code injection.
Add support detection of pickle deserialization injection.

February 2019

Multiple bug fixes and performance enhancements.
Enhance detection of XSS adding support for multiple callbacks vectors.

January 2019

New alpha system to detect vulnerabilities in backends from previously collected ones.
Creation of a new vulnerability test bed.

December 2018

Add support for detection of stored XSS.
Complete rework of the scan authentication module. It works well and sends fewer requests.
Brand new subscription menu.
Bug cleaning season.

November 2018

Add support for multi-step submitting of Forms.
Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
Alpha version of Fingerprinting agents.

October 2018

Major enhancement coverage of XSS contexts, long live Polyglot payloads.

September 2018

Enhance CSRF handling for web scanning.
Add scan export and import feature for on-premise scanning support.
Implementation of ADB Proxy agent for on-premise scanning support.
Add collection of screenshots and logcat traffic during dynamic analysis.
New security rules for Android Network Security Configuration.
Fix false positives in Cryptography rules using static taint.
Rework of all rules formatting.
Fix PDF generation and add support for code highlighting.
Add support for kown pathes crawling
Add Artifact panel to store extracted source code, screenshots and traffic logs.
Add Xamarin source code decompilation.
Fix duplicate request testing by backend and XSS scanner.
Initial work on CSRF token detection and generation for POST request fuzzing.
Add support for inserting payloads in sub-pathes.

August 2018

Extensive bug fixes month of all core components.
Enhance testability of the scanning engine.
Enhance reporting features.

July 2018

Enhanced detection of template injection vulnerabilities.
New scanner for detecting XSS vulnerabilities.
Ehanced supported for nested serialization formats.
Major rework for scan scheduling engine for increased scalability.

June 2018

New backend scanning engine with beta support for SQL injection and XXE
Adding beta support for crawling of HTML content.

May 2018

Bumping free scanner coverage limit from 100 to 300.
New detector for encrypted IPA.
Fix false positive in dynamic rules detecting weak encryption.

April 2018

Porting LLDB for iOS to work on Linux.
New backend scan engine.
New experimental crawler.

February 2018

Adding Support for authenticated scan.
Final version of Java hook engine with stack trace support and full context inspection.
Major enhancement to the taint engine reducing false positives.
Multiple bug fixes affecting PDF generation and false positive declaration.
Adding feature to report false positives and remove them from the final report.
Multiple new dynamic rules to trace sensitive function call.
New agent to detect sensitive material files, like private encryption keys.

January 2018

Surface static taint analysis coverage in the scan report.

December 2017

Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
Performance enhancement for the support of large multidex files.
Bug fix in method xref for multidex files.
Enhance vulnerability de-duplication.
Multiple bug fixes for iOS scan rules.

November 2017

Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
Advanced option to support download PDF report.

September 2017

Stabilizing unlimited scan feature with bug fixes.
Correction of false positives in Insecure Encryption Mode.
Correction of false positives in ASLR detection for iOS Apps.
Move to a clustered architecture to support increase scan load.
Final version to support dedicated unlimited scans.

August 2017

New feature to support dedicated scans.
Tweaks and updates to the user interface to support fast uploading.

July 2017

New backend system to support the increased load.
Major code refactoring of all agents to support the new backend system.
Multiple bug fixes.

June 2017

New static taint engine for Android Bytecode.
Multiple bug fixes and performance tweaks.