Skip to content

Changelog

Roadmap September-October-November 2022

The roadamp for the next 3 months has 3 focuses

  • 🎉 Improve integrations adding support for the ServiceNow, Jira Broker, Azure DevOps CI/CD and CircleCI CI/CD
  • 🔒 Add IP Whitelisting, Action Auditing and SAML-managed access control
  • 🚀 Improve Dynamic Analysis with collection of call functions in the Analysis Environment and capture it in a flamgraph.

June-July-August 2022

  • 🚀 Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
  • ⚡ Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
  • 📘 Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
  • 🔬 Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
  • 💻 Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
  • :Ability to search applications on the store by country.
  • 🎌 Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
  • 🐒 New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
  • 📝 Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
  • 🎩 Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.

March-April-May 2022

  • 💎 New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
  • 🔒 Add support for using Chrome Recorder script for Authentication
  • 🎉 Add support for CRON based monitoring with defined schedules
  • 🔨 Github Actions integrations
  • 🎉 Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
  • 🚀 Performance and resilience improvement to Ostorlab Agent Builder

November-December 2021 / January-February 2022

  • 👾 Improve detection of Flutter and React-Native vulnerabilities
  • 👾 Add detection of several new classes of vulnerabilities, including Log4J
  • 🎉 Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment
  • Adding Ostorlab Agent store to easily access and publish scan agent
  • 🚀 New agent-group definition to define composable scan agent
  • 🚀 New agent-group UI builder and YAML definition file generation
  • 🚀 Automated agent builder from repo that automatically detects and builds new releases
  • 🏫 New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
  • 🎉 Open-Sourcing Ostorlab knowledge base
  • 🎉 Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
  • 🎉 Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
  • 🔐 Improve account security with OTP (One-Time-Password) support
  • 🔨Add integrations portal to configure newly support integrations
  • 🔨 Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
  • 🔐 Add SAML-based authentication for SSO enterprise access

September-October 2021

  • Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
  • New dashboard offering a glass box view into security posture and urgent tasks
  • Management of patching and priority policies with SLO and tools to track and measure fix performance
  • 3rd Party integrations with Jira
  • Add Ticket timeline to with dynamic setting of start and end time
  • Add grouping of ticket by status, priority and tag
  • Add Ticket bulk edit mode

August 2021

Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.

  • 🤖 An all improved Monkey Tester with highly improved code coverage
  • 💐 UI Call coverage visualisation to understand what has been done

July 2021

Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:

  • 🤖 Adding support for multiple strategies to Monkey Tester
  • 🪲 Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
  • 🤖 Scale search indexing infrastructure to handle the increase in covered assets

June 2021

  • 🤖 Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
  • 🤖 Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
  • 🪲 Tweaks to the JDWP Android monitor for coverage and performance.
  • 🚀 Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).

Mai 2021

  • 🪲 API traffic improvement and bug fixes
  • 🔍 Multiple performance and enhanced result for the new search feature
  • 🤖 New dynamic instrumentation engine for iOS based on LLDB
  • 🤖 Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
  • 🤖 Enable backtracing of dangerous API to track their usage
  • 🤖 Support of credential authentication in Web Scan
  • 🤖 Improved Web Crawling to support mutated html

April 2021

  • 🔍 New rules to detect insecure javascript patterns and new insecure secret usage.
  • 💐 Add search, tagging and call trace of extern functions, like JNI.
  • 🔍 New scan search capability to search across all analysis asset types.
  • 💐 API traffic IDE capability.
  • 🤖 API to persist taint graph from scan.

March 2021

  • 🪲 Fixes to the Analysis Environment indexing to enable code and file search
  • 📢 Deprecate Free+Analysis scan type in a revamp of the analysis environment
  • 🚀 Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
  • 🤖 Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
  • 💐 Support for tagging of native function in IDE
  • 🔍 Add multiple new sinks methods
  • 🪲 Remove false positive in detection of RSA/ECB weak encryption
  • 🪲 Bug fixes to taint analysis leading missing detections
  • 🤖 Detection of valid Sendgrid API keys
  • 🤖 Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
  • 🤖 Detection of insecure Zip leading to path traversal arbitrary file overwrite
  • 🪲 Fix Twitter API detection

February 2021

  • 📢 Alpha Release of the Web Scanner
  • 🚀 Release of Chrome-powered Crawling
  • 🤖 Release of Black-box Tree Fuzzer
  • 🚀 Release of XSS Detector powered by full-context coverage polyglot payloads
  • 🤖 Proxy agent persists and collects HTTP requests
  • 💐 Analysis environment HTTP request and response navigator
  • 🔮 Real Time indexing of knowledge Base and Analysis environment for enhanced and fast search
  • 🪲 Automated Purge of old community scans
  • 🔍 Detection of Dependency Confusion

January 2021

  • 🤖 Switch API encoding from JSON to UBJSON to add support for binary format
  • 💐 Analysis Env javascript formatting
  • 💐 Analysis Env detection of new file formats
  • 💐 Analysis Env call trace node coloring to match function and method tagging
  • 🪲 Multiple bug fixes and performance optimization of the Analysis Env
  • 📢 Support for sharing report access using a shareable link
  • 📢 Add edit mode to vulnerabilities to change risk rating or mark as a false positive
  • 🚀 Detection of new secrets keys and dangerous functions

November, December 2020

  • 📢 Release of Android and iOS application analysis environment
  • 🚀 Analysis Env support for APK and IPA file listing with content access
  • 🚀 Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
  • 🚀 Analysis Env support for Binary plist extraction
  • 🚀 Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
  • 🚀 Analysis Env support for Macho and ELF string listing
  • 🚀 Analysis Env support for DEX classes listing
  • 🚀 Analysis Env support for DEX smali listing and java decompilation
  • 🚀 Analysis Env support for Android resource extraction
  • 🚀 Analysis Env support for Android manifest extraction
  • 🚀 Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
  • 🚀 Analysis Env support for Dangerous functions tagging to identify security hotspots.
  • 🚀 Analysis Env support for Contextual call trace generation.

October 2020

  • 📢 Release of continuous application monitoring from the store
  • 🔍 Detection of weak Bluetooth connection
  • 🔍 Detection of dynamic broadcast receiver with no permissions
  • 📢 New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
  • 💐 Email and UI notification to inform of key events (scan completion, password change ...)
  • 💐 Expose API key generation and management from the UI

September 2020

  • 📢 Release of Ostorlab lighthouse continuously scanning public applications
  • 📢 Release of Ostorlab VulnDB UI to access internal known vulnz database
  • 💐 Vulnerability tagged as affecting security and privacy, security only or privacy only
  • 🔍 Detection of several privacy settings in Android manifest
  • 🔍 Detection of facebook SDK debug mode
  • 🔍 Detection of GPS location tracking impacting privacy
  • 🪲 Fix insufficient sink default taint and missing propagation for Array and Const

August 2020

  • 📢 Store search and scan feature
  • 📢 Deep 3rd party dependencies fingerprinting
  • 💐 Markdown vulnerability text and description support

July 2020

  • 📢 Extend 3rd party dependencies rules
  • 🚀 Creation of database of unreported vulnerabilities

June 2020

  • 💐 Report libraries and 3rd party dependencies
  • 🔍 Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
  • 🚀 Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
  • 🚀 Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
  • 🔍 Detect calls to dangerous Bluetooth API

May 2020

  • 📢 Exposure of CVSSv3 score
  • 🤖 Alpha support for UI Automation rules
  • 🎁 Add Xamarin decompiled source code to the list of artifacts
  • 🔍 Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
  • 🔍 Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

April 2020

  • 📊 Add generation of executive summary PDF report
  • 📢 New Secure risk rating to denote secure implementation
  • 📢 New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
  • 📢 Add support for archiving scans
  • 📢 Add support for exporting scans
  • 🔍 Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
  • 🚀 Enhance performance of taint analysis and increase coverage
  • 💐 Enhanced representation of taint information
  • 💐 Enhanced representation of stack traces collected in dynamic analysis
  • ⚠ Fix inconsistency in risk rating
  • 🪲 Fix false positive in iOS detection for missing ARC and Stack Guard protections

March 2020

  • Support for streaming API to create and stops scans
  • Subscription support
  • New KB entry for Webview LoadURL injection
  • Bug fixes to JDWP Hooking engine
  • Dashboard update showing scan plan
  • Support for stopping and archiving scans

February 2020

  • API for scheduling rules
  • Migration to Kubernetes
  • Initial support for streaming API to create scans

January 2020

  • API to manage Inventory (mobile apps, urls, domains, ...)
  • UI to list, create and update Inventory and Assets
  • CI/CD pipeline integration
  • Deprecate old UIs

December 2019

  • Release of the alpha version of the new reporting front end
  • API naming fixes
  • Fix submission of the test credentials
  • New Google Play client to support scanning from the Play Store directly
  • Several New APIs move to GraphQL (Account and Password Management, Artifcats)
  • Worker to handle long-running jobs (PDF generation and Scan Export)

November 2019

  • Progress on the new reporting front end
  • Bug fixes in public website
  • Simplified pagination support in all APIs
  • Experimental API to create Web Scans

October 2019

  • Release of an open source Android application to benchmark vulnerability scanners
  • Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
  • Progress on the new reporting front end

September 2019

August 2019

  • Major migration of all existing infra and data to the new backends.

June 2019

  • Infra refactoring into a micro-service architecture.
  • Separation of user portal and public website to prepare moving to serverless.
  • Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.

Mai 2019

  • Refactoring of API adding support for GraphQL.
  • Migration of website, user portal and orchestrator to GraphQL.

April 2019

  • Extending vulnerability test bed.
  • Add support for template injection of 4 new Java template engines.
  • Add support detection of Ruby code injection.
  • Add support detection of Node.js code injection.

March 2019

  • Multiple bug fixes and performance enhancements.
  • Fix false positive detection of Template Injection.
  • Add support detection of python code injection.
  • Add support detection of pickle deserialization injection.

February 2019

  • Multiple bug fixes and performance enhancements.
  • Enhance detection of XSS adding support for multiple callbacks vectors.

January 2019

  • New alpha system to detect vulnerabilities in backends from previously collected ones.
  • Creation of a new vulnerability test bed.

December 2018

  • Add support for detection of stored XSS.
  • Complete rework of the scan authentication module. It works well and sends fewer requests.
  • Brand new subscription menu.
  • Bug cleaning season.

November 2018

  • Add support for multi-step submitting of Forms.
  • Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
  • Alpha version of Fingerprinting agents.

October 2018

  • Major enhancement coverage of XSS contexts, long live Polyglot payloads.

September 2018

  • Enhance CSRF handling for web scanning.
  • Add scan export and import feature for on-premise scanning support.
  • Implementation of ADB Proxy agent for on-premise scanning support.
  • Add collection of screenshots and logcat traffic during dynamic analysis.
  • New security rules for Android Network Security Configuration.
  • Fix false positives in Cryptography rules using static taint.
  • Rework of all rules formatting.
  • Fix PDF generation and add support for code highlighting.
  • Add support for kown pathes crawling
  • Add Artifact panel to store extracted source code, screenshots and traffic logs.
  • Add Xamarin source code decompilation.
  • Fix duplicate request testing by backend and XSS scanner.
  • Initial work on CSRF token detection and generation for POST request fuzzing.
  • Add support for inserting payloads in sub-pathes.

August 2018

  • Extensive bug fixes month of all core components.
  • Enhance testability of the scanning engine.
  • Enhance reporting features.

July 2018

  • Enhanced detection of template injection vulnerabilities.
  • New scanner for detecting XSS vulnerabilities.
  • Ehanced supported for nested serialization formats.
  • Major rework for scan scheduling engine for increased scalability.

June 2018

  • New backend scanning engine with beta support for SQL injection and XXE
  • Adding beta support for crawling of HTML content.

May 2018

  • Bumping free scanner coverage limit from 100 to 300.
  • New detector for encrypted IPA.
  • Fix false positive in dynamic rules detecting weak encryption.

April 2018

  • Porting LLDB for iOS to work on Linux.
  • New backend scan engine.
  • New experimental crawler.

February 2018

  • Adding Support for authenticated scan.
  • Final version of Java hook engine with stack trace support and full context inspection.
  • Major enhancement to the taint engine reducing false positives.
  • Multiple bug fixes affecting PDF generation and false positive declaration.
  • Adding feature to report false positives and remove them from the final report.
  • Multiple new dynamic rules to trace sensitive function call.
  • New agent to detect sensitive material files, like private encryption keys.

January 2018

  • Surface static taint analysis coverage in the scan report.

December 2017

  • Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
  • Performance enhancement for the support of large multidex files.
  • Bug fix in method xref for multidex files.
  • Enhance vulnerability de-duplication.
  • Multiple bug fixes for iOS scan rules.

November 2017

  • Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
  • Advanced option to support download PDF report.

September 2017

  • Stabilizing unlimited scan feature with bug fixes.
  • Correction of false positives in Insecure Encryption Mode.
  • Correction of false positives in ASLR detection for iOS Apps.
  • Move to a clustered architecture to support increase scan load.
  • Final version to support dedicated unlimited scans.

August 2017

  • New feature to support dedicated scans.
  • Tweaks and updates to the user interface to support fast uploading.

July 2017

  • New backend system to support the increased load.
  • Major code refactoring of all agents to support the new backend system.
  • Multiple bug fixes.

June 2017

  • New static taint engine for Android Bytecode.
  • Multiple bug fixes and performance tweaks.