Roadmap September-October-November 2022
The roadamp for the next 3 months has 3 focuses
- Improve integrations adding support for the ServiceNow, Jira Broker, Azure DevOps CI/CD and CircleCI CI/CD
- Add IP Whitelisting, Action Auditing and SAML-managed access control
- Improve Dynamic Analysis with collection of call functions in the Analysis Environment and capture it in a flamgraph.
- Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
- Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
- Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
- Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
- Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
- :Ability to search applications on the store by country.
- Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
- New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
- Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
- Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.
- New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
- Add support for using Chrome Recorder script for Authentication
- Add support for CRON based monitoring with defined schedules
- Github Actions integrations
- Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
- Performance and resilience improvement to Ostorlab Agent Builder
November-December 2021 / January-February 2022
- Improve detection of Flutter and React-Native vulnerabilities
- Add detection of several new classes of vulnerabilities, including Log4J
- Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment
- Adding Ostorlab Agent store to easily access and publish scan agent
- New agent-group definition to define composable scan agent
- New agent-group UI builder and YAML definition file generation
- Automated agent builder from repo that automatically detects and builds new releases
- New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
- Open-Sourcing Ostorlab knowledge base
- Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
- Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
- Improve account security with OTP (One-Time-Password) support
- Add integrations portal to configure newly support integrations
- Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
- Add SAML-based authentication for SSO enterprise access
- Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
- New dashboard offering a glass box view into security posture and urgent tasks
- Management of patching and priority policies with SLO and tools to track and measure fix performance
- 3rd Party integrations with Jira
- Add Ticket timeline to with dynamic setting of start and end time
- Add grouping of ticket by status, priority and tag
- Add Ticket bulk edit mode
Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.
- An all improved Monkey Tester with highly improved code coverage
- UI Call coverage visualisation to understand what has been done
Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:
- Adding support for multiple strategies to Monkey Tester
- Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
- Scale search indexing infrastructure to handle the increase in covered assets
- Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
- Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
- Tweaks to the JDWP Android monitor for coverage and performance.
- Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).
- API traffic improvement and bug fixes
- Multiple performance and enhanced result for the new search feature
- New dynamic instrumentation engine for iOS based on LLDB
- Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
- Enable backtracing of dangerous API to track their usage
- Support of credential authentication in Web Scan
- Improved Web Crawling to support mutated html
- Add search, tagging and call trace of extern functions, like JNI.
- New scan search capability to search across all analysis asset types.
- API traffic IDE capability.
- API to persist taint graph from scan.
- Fixes to the Analysis Environment indexing to enable code and file search
- Deprecate Free+Analysis scan type in a revamp of the analysis environment
- Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
- Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
- Support for tagging of native function in IDE
- Add multiple new sinks methods
- Remove false positive in detection of RSA/ECB weak encryption
- Bug fixes to taint analysis leading missing detections
- Detection of valid Sendgrid API keys
- Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
- Detection of insecure Zip leading to path traversal arbitrary file overwrite
- Fix Twitter API detection
- Alpha Release of the Web Scanner
- Release of Chrome-powered Crawling
- Release of Black-box Tree Fuzzer
- Release of XSS Detector powered by full-context coverage polyglot payloads
- Proxy agent persists and collects HTTP requests
- Analysis environment HTTP request and response navigator
- Real Time indexing of knowledge Base and Analysis environment for enhanced and fast search
- Automated Purge of old community scans
- Detection of Dependency Confusion
- Switch API encoding from JSON to UBJSON to add support for binary format
- Analysis Env detection of new file formats
- Analysis Env call trace node coloring to match function and method tagging
- Multiple bug fixes and performance optimization of the Analysis Env
- Support for sharing report access using a shareable link
- Add edit mode to vulnerabilities to change risk rating or mark as a false positive
- Detection of new secrets keys and dangerous functions
November, December 2020
- Release of Android and iOS application analysis environment
- Analysis Env support for APK and IPA file listing with content access
- Analysis Env support for Binary plist extraction
- Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
- Analysis Env support for Macho and ELF string listing
- Analysis Env support for DEX classes listing
- Analysis Env support for DEX smali listing and java decompilation
- Analysis Env support for Android resource extraction
- Analysis Env support for Android manifest extraction
- Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
- Analysis Env support for Dangerous functions tagging to identify security hotspots.
- Analysis Env support for Contextual call trace generation.
- Release of continuous application monitoring from the store
- Detection of weak Bluetooth connection
- Detection of dynamic broadcast receiver with no permissions
- New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
- Email and UI notification to inform of key events (scan completion, password change ...)
- Expose API key generation and management from the UI
- Release of Ostorlab lighthouse continuously scanning public applications
- Release of Ostorlab VulnDB UI to access internal known vulnz database
- Vulnerability tagged as affecting security and privacy, security only or privacy only
- Detection of several privacy settings in Android manifest
- Detection of facebook SDK debug mode
- Detection of GPS location tracking impacting privacy
- Fix insufficient sink default taint and missing propagation for Array and Const
- Store search and scan feature
- Deep 3rd party dependencies fingerprinting
- Markdown vulnerability text and description support
- Extend 3rd party dependencies rules
- Creation of database of unreported vulnerabilities
- Report libraries and 3rd party dependencies
- Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
- Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
- Detect calls to dangerous Bluetooth API
- Exposure of CVSSv3 score
- Alpha support for UI Automation rules
- Add Xamarin decompiled source code to the list of artifacts
- Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
- Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)
- Add generation of executive summary PDF report
Securerisk rating to denote secure implementation
Hardeningrisk rating to differentiate between actual vulnerability and missing hardening mechanism
- Add support for archiving scans
- Add support for exporting scans
- Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
- Enhance performance of taint analysis and increase coverage
- Enhanced representation of taint information
- Enhanced representation of stack traces collected in dynamic analysis
- Fix inconsistency in risk rating
- Fix false positive in iOS detection for missing ARC and Stack Guard protections
- Support for streaming API to create and stops scans
- Subscription support
- New KB entry for Webview LoadURL injection
- Bug fixes to JDWP Hooking engine
- Dashboard update showing scan plan
- Support for stopping and archiving scans
- API for scheduling rules
- Migration to Kubernetes
- Initial support for streaming API to create scans
- API to manage Inventory (mobile apps, urls, domains, ...)
- UI to list, create and update Inventory and Assets
- CI/CD pipeline integration
- Deprecate old UIs
- Release of the alpha version of the new reporting front end
- API naming fixes
- Fix submission of the test credentials
- New Google Play client to support scanning from the Play Store directly
- Several New APIs move to GraphQL (Account and Password Management, Artifcats)
- Worker to handle long-running jobs (PDF generation and Scan Export)
- Progress on the new reporting front end
- Bug fixes in public website
- Simplified pagination support in all APIs
- Experimental API to create Web Scans
- Release of an open source Android application to benchmark vulnerability scanners
- Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
- Progress on the new reporting front end
- Release of a new documentation website docs.ostorlab.co
- Release of a new website www.ostorlab.co using material design
- Major migration of all existing infra and data to the new backends.
- Infra refactoring into a micro-service architecture.
- Separation of user portal and public website to prepare moving to serverless.
- Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.
- Refactoring of API adding support for GraphQL.
- Migration of website, user portal and orchestrator to GraphQL.
- Extending vulnerability test bed.
- Add support for template injection of 4 new Java template engines.
- Add support detection of Ruby code injection.
- Add support detection of Node.js code injection.
- Multiple bug fixes and performance enhancements.
- Fix false positive detection of Template Injection.
- Add support detection of python code injection.
- Add support detection of pickle deserialization injection.
- Multiple bug fixes and performance enhancements.
- Enhance detection of XSS adding support for multiple callbacks vectors.
- New alpha system to detect vulnerabilities in backends from previously collected ones.
- Creation of a new vulnerability test bed.
- Add support for detection of stored XSS.
- Complete rework of the scan authentication module. It works well and sends fewer requests.
- Brand new subscription menu.
- Bug cleaning season.
- Add support for multi-step submitting of Forms.
- Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
- Alpha version of Fingerprinting agents.
- Major enhancement coverage of XSS contexts, long live Polyglot payloads.
- Enhance CSRF handling for web scanning.
- Add scan export and import feature for on-premise scanning support.
- Implementation of ADB Proxy agent for on-premise scanning support.
- Add collection of screenshots and logcat traffic during dynamic analysis.
- New security rules for Android Network Security Configuration.
- Fix false positives in Cryptography rules using static taint.
- Rework of all rules formatting.
- Fix PDF generation and add support for code highlighting.
- Add support for kown pathes crawling
- Add Artifact panel to store extracted source code, screenshots and traffic logs.
- Add Xamarin source code decompilation.
- Fix duplicate request testing by backend and XSS scanner.
- Initial work on CSRF token detection and generation for POST request fuzzing.
- Add support for inserting payloads in sub-pathes.
- Extensive bug fixes month of all core components.
- Enhance testability of the scanning engine.
- Enhance reporting features.
- Enhanced detection of template injection vulnerabilities.
- New scanner for detecting XSS vulnerabilities.
- Ehanced supported for nested serialization formats.
- Major rework for scan scheduling engine for increased scalability.
- New backend scanning engine with beta support for SQL injection and XXE
- Adding beta support for crawling of HTML content.
- Bumping free scanner coverage limit from 100 to 300.
- New detector for encrypted IPA.
- Fix false positive in dynamic rules detecting weak encryption.
- Porting LLDB for iOS to work on Linux.
- New backend scan engine.
- New experimental crawler.
- Adding Support for authenticated scan.
- Final version of Java hook engine with stack trace support and full context inspection.
- Major enhancement to the taint engine reducing false positives.
- Multiple bug fixes affecting PDF generation and false positive declaration.
- Adding feature to report false positives and remove them from the final report.
- Multiple new dynamic rules to trace sensitive function call.
- New agent to detect sensitive material files, like private encryption keys.
- Surface static taint analysis coverage in the scan report.
- Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
- Performance enhancement for the support of large multidex files.
- Bug fix in method xref for multidex files.
- Enhance vulnerability de-duplication.
- Multiple bug fixes for iOS scan rules.
- Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
- Advanced option to support download PDF report.
- Stabilizing unlimited scan feature with bug fixes.
- Correction of false positives in Insecure Encryption Mode.
- Correction of false positives in ASLR detection for iOS Apps.
- Move to a clustered architecture to support increase scan load.
- Final version to support dedicated unlimited scans.
- New feature to support dedicated scans.
- Tweaks and updates to the user interface to support fast uploading.
- New backend system to support the increased load.
- Major code refactoring of all agents to support the new backend system.
- Multiple bug fixes.
- New static taint engine for Android Bytecode.
- Multiple bug fixes and performance tweaks.