You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

 

 

New version of Kiuwan, CQM, and Kiuwan Engine 

Main features of this release are:

  1. Kiuwan CQM (v1.2.XX) and Engine

    • Enhanced support for security in VB.NET (78 new security rules)

    • Enhanced support for security in Objective-C (43 new security rules)
    • Further support for NoSQL Injection (added support for Java, PHP, Python and Objective-C)
    • XXXXXXXXXXXXXXXXXXXXX
    • Bug fixing, performance and reliability improvements in rules for Cobol, Abap, RPG, Java, JavaScript, ObjetiveC, JPS, C#, C++ and VB.NET

  2. Kiuwan website
    • New passwords policy

  3. Kiuwan Insights
    • Enhanced readability of Software Licenses Terms
    • Improved analysis performance and components/vulnerabilities detection

 

Kiuwan CQM and Engine

A new version of CQM has been released that incorporate new rules (as detailed below).

CQM is the default Model (i.e. a concrete set of active and pre-configured rules): 

  • If you are using CQM, new rules will automatically become active and will be applied to new analyses.
  • If you are using your own custom model, your model remains unchaged, but you can modify it and activate the new rules (in case you want to be applied to your code).

You can find new rules by comparing this release of CQM against previous version.  A detailed description of the behavior of these new rules is available in rule’s description.

 

 

A new version of Kiuwan Engine has been released that incorporates bug fixes, performance and reliability improvements in rules and parsers.

Kiuwan Engine is the  binary code executed when an analysis is run.

  • If the engine is not blocked in your Kiuwan account, the engine will upgrade to the last version of Kiuwan Engine once a new analysis is run

 

Unless you have blocked Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version of Kiuwan Engine once a new analysis is run.

 

 

In order for these new rules be applicable, your Kiuwan account must be configured to allow automatic engine upgrade:

  • If you are using CQM, these new rules will automatically become active and will be applied to new analyses.
  • If you are using your own custom modelyou can activate them in case you want to be applied to your code.

New VB.NET security rules

  • OPT.VBNET.CodeInjection 
  • OPT.VBNET.CodeInjectionWithDeserialization 
  • OPT.VBNET.CommandInjection 
  • OPT.VBNET.CrossSiteRequestForgery 
  • OPT.VBNET.CrossSiteScripting 
  • OPT.VBNET.DoSRegexp 
  • OPT.VBNET.InsecureRandomness 
  • OPT.VBNET.JSONInjection 
  • OPT.VBNET.LdapInjection 
  • OPT.VBNET.MVCNonActionPublicMethods 
  • OPT.VBNET.MVCPostInControllers 
  • OPT.VBNET.MVCPreventOverpostingModelDefinition 
  • OPT.VBNET.MVCPreventUnderpostingModelComposition 
  • OPT.VBNET.MVCPreventUnderpostingModelDefinition 
  • OPT.VBNET.MVCRemoveVersionHeader 
  • OPT.VBNET.OpenRedirect 
  • OPT.VBNET.PathTraversal 
  • OPT.VBNET.PotentialInfiniteLoop 
  • OPT.VBNET.ResourceLeakDatabase 
  • OPT.VBNET.ResourceLeakLdap 
  • OPT.VBNET.ResourceLeakStream 
  • OPT.VBNET.ResourceLeakUnmanaged 
  • OPT.VBNET.SEC.AccessibilitySubversionRule 
  • OPT.VBNET.SEC.AnonymousLdapBind 
  • OPT.VBNET.SEC.AvoidHostNameChecks 
  • OPT.VBNET.SEC.ConnectionStringParameterPollution 
  • OPT.VBNET.SEC.CookiesInSecurityDecision 
  • OPT.VBNET.SEC.CrossSiteHistoryManipulation 
  • OPT.VBNET.SEC.DangerousFileUpload 
  • OPT.VBNET.SEC.HardcodedCredential 
  • OPT.VBNET.SEC.HardcodedCryptoKey 
  • OPT.VBNET.SEC.HardcodedNetworkAddress 
  • OPT.VBNET.SEC.HardcodedSalt 
  • OPT.VBNET.SEC.HttpParameterPollution 
  • OPT.VBNET.SEC.HttpRequestValueShadowing 
  • OPT.VBNET.SEC.HttpSplittingRule 
  • OPT.VBNET.SEC.ImproperAuthentication 
  • OPT.VBNET.SEC.InformationExposureThroughDebugLog 
  • OPT.VBNET.SEC.InformationExposureThroughErrorMessage 
  • OPT.VBNET.SEC.InsecureEmailTransport 
  • OPT.VBNET.SEC.InsecureTransport 
  • OPT.VBNET.SEC.LogForging 
  • OPT.VBNET.SEC.MailCommandInjection 
  • OPT.VBNET.SEC.MainMethodInWebApplication 
  • OPT.VBNET.SEC.MissingStandardErrorHandling 
  • OPT.VBNET.SEC.NoSQLInjection 
  • OPT.VBNET.SEC.PlaintextStorageOfPassword 
  • OPT.VBNET.SEC.ProcessControl 
  • OPT.VBNET.SEC.ProperPaddingWithPublicKeyCrypto 
  • OPT.VBNET.SEC.RegistryManipulation 
  • OPT.VBNET.SEC.ResourceInjection 
  • OPT.VBNET.SEC.SerializableClassContainingSensitiveData 
  • OPT.VBNET.SEC.ServerInsecureTransport 
  • OPT.VBNET.SEC.SettingManipulation 
  • OPT.VBNET.SEC.StaticDatabaseConnection 
  • OPT.VBNET.SEC.TemporaryFilesLeft 
  • OPT.VBNET.SEC.TrustBoundaryViolation 
  • OPT.VBNET.SEC.UnsafeCookieRule 
  • OPT.VBNET.SEC.UnsafeReflection 
  • OPT.VBNET.SEC.UnvalidatedAspNetModel 
  • OPT.VBNET.SEC.UserControlledSQLPrimaryKey 
  • OPT.VBNET.SEC.XMLEntityInjection 
  • OPT.VBNET.ServerSideRequestForgery 
  • OPT.VBNET.SqlInjection 
  • OPT.VBNET.StoredCrossSiteScripting 
  • OPT.VBNET.SystemInformationLeak 
  • OPT.VBNET.TooMuchOriginsAllowed 
  • OPT.VBNET.UncheckedInputInLoopCondition 
  • OPT.VBNET.UncheckedReturnValue 
  • OPT.VBNET.WeakCryptographicHash 
  • OPT.VBNET.WeakEncryption 
  • OPT.VBNET.WeakKeySize 
  • OPT.VBNET.WeakSymmetricEncryptionAlgorithm 
  • OPT.VBNET.WeakSymmetricEncryptionModeOfOperation 
  • OPT.VBNET.XMLInjection 
  • OPT.VBNET.XPathInjection 
  • OPT.VBNET.XQueryInjection 
  • OPT.VBNET.XSLTInjection

 

New Objective-C security rules

  • OPT.OBJECTIVEC.SECURITY.AvoidSMS 
  • OPT.OBJECTIVEC.SECURITY.BiometricWithoutMessage 
  • OPT.OBJECTIVEC.SECURITY.CommandInjectionRule 
  • OPT.OBJECTIVEC.SECURITY.ConnectionStringParameterPollution 
  • OPT.OBJECTIVEC.SECURITY.ExecutionAfterRedirect 
  • OPT.OBJECTIVEC.SECURITY.HardcodedCryptoKey 
  • OPT.OBJECTIVEC.SECURITY.HardcodedIp 
  • OPT.OBJECTIVEC.SECURITY.HardcodedUsernamePassword 
  • OPT.OBJECTIVEC.SECURITY.HttpParameterPollutionRule  
  • OPT.OBJECTIVEC.SECURITY.HttpResponseCachingLeak 
  • OPT.OBJECTIVEC.SECURITY.HttpSplittingRule 
  • OPT.OBJECTIVEC.SECURITY.InformationExposureThroughErrorMessage 
  • OPT.OBJECTIVEC.SECURITY.InsecureTemporaryFile 
  • OPT.OBJECTIVEC.SECURITY.KeyboardCachingLeak 
  • OPT.OBJECTIVEC.SECURITY.MailCommandInjection 
  • OPT.OBJECTIVEC.SECURITY.MissingContentValidation 
  • OPT.OBJECTIVEC.SECURITY.MissingPasswordFieldMasking 
  • OPT.OBJECTIVEC.SECURITY.NoSQLInjection 
  • OPT.OBJECTIVEC.SECURITY.LogForging 
  • OPT.OBJECTIVEC.SECURITY.PasswordInCommentRule 
  • OPT.OBJECTIVEC.SECURITY.PasswordInConfigurationFile 
  • OPT.OBJECTIVEC.SECURITY.PasteboardCachingLeak 
  • OPT.OBJECTIVEC.SECURITY.PlaintextStorageInACookieRule 
  • OPT.OBJECTIVEC.SECURITY.PotentialInfiniteLoop 
  • OPT.OBJECTIVEC.SECURITY.PrivacyViolation 
  • OPT.OBJECTIVEC.SECURITY.ResourceInjection 
  • OPT.OBJECTIVEC.SECURITY.ScreenCachingLeak 
  • OPT.OBJECTIVEC.SECURITY.SensitiveCoreData 
  • OPT.OBJECTIVEC.SECURITY.SensitiveDataAccessedFromItunes 
  • OPT.OBJECTIVEC.SECURITY.SensitiveNoSQL 
  • OPT.OBJECTIVEC.SECURITY.SensitiveSQL 
  • OPT.OBJECTIVEC.SECURITY.SensitiveUserDefaults 
  • OPT.OBJECTIVEC.SECURITY.SerializableClassContainingSensitiveData 
  • OPT.OBJECTIVEC.SECURITY.SerializationInjection 
  • OPT.OBJECTIVEC.SECURITY.ServerTrustCredentialCheck 
  • OPT.OBJECTIVEC.SECURITY.ThirdPartyKeyboardAllowed 
  • OPT.OBJECTIVEC.SECURITY.UncheckedInputInLoopCondition 
  • OPT.OBJECTIVEC.SECURITY.UnsafeCookie 
  • OPT.OBJECTIVEC.SECURITY.URLSchemeHijacking 
  • OPT.OBJECTIVEC.SECURITY.UserControlledSQLPrimaryKey 
  • OPT.OBJECTIVEC.SECURITY.WeakKeyDerivationIteration 
  • OPT.OBJECTIVEC.SECURITY.WeakKeyDerivationPassword 
  • OPT.OBJECTIVEC.SECURITY.XMLInjection

 

Additional support for detection of NoSQL Injection vulnerabilities

Support has been added to Kiuwan to detect NoSQL Injection vulnerabilities.

Additionaly to JavaScript, C# and VB.NET, Kiuwan provides support for Java, PHP, Python and Objective-C.

 

 


  • No labels