0

Virustotal is excellent in its field. Does there exist any tool (or site) where we could upload (or that could be also an offline PC version) to test projects or websites (PHP, Java, whatever) for Vulnerabilities, but ALL-IN-ONE scanning (like Virustotal), which would include all free/trial tools available on internet?

UPDATE: Well, seems there is not. As a volunteer idea, I've created an example site showing the idea what I mean : Live Demo (Github).

schroeder
  • 123,438
  • 55
  • 284
  • 319
T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • "Where we could upload" do you mean upload source code and have a static analysis ? – Xavier59 Jan 08 '19 at 08:46
  • 2
    Does it have to be a _site_, or can it be a program, e.g. a vulnerability scanner? – forest Jan 08 '19 at 09:04
  • Old question but most softwares are still relevant : https://security.stackexchange.com/questions/806/benefits-of-secure-code-review-in-ide-vs-fatapp-vs-webapp – Xavier59 Jan 08 '19 at 09:43
  • If you are asking for a vulnerability scanning tool then yes, those exist, for example IBM AppScan and Burp Suite. Yet, product recommendation is off topic here. Hence, VTC'd. – Tobi Nary Jan 08 '19 at 12:05
  • @TobiNary Yet I think that people are overpoisoned with "product recommendation" myth, which questions could actually helped folks. thanks anyway. (btw, i ask ALL-IN-ONE means, that `IBM AppScan` or `Bump` would be just individual scanners in those "all" list, like virustotal does with many individual scanners) – T.Todua Jan 08 '19 at 15:35

1 Answers1

2

To my knowledge, there is not a comprehensive, all in one solution that can effectively scan for different types of vulnerabilities on different types of projects. This is partially due to the fact that the type of data store required for that solution is immense, therefor many products have chosen to tackle a specific issue and excel at that verses being an inch deep across multiple vectors.

At a high level, I like the idea. I think it's probably a great niche for a business, but it would require that an appropriate team be assembled with enough knowledge around all of the fields you would like to support to be beneficial. Half way implemented features would not do this service any good and it would be dropped in favor of the specific tools that meet the needs of current processes.

There are some challenges I think you'll need to think about:

  • The number of programming languages that need to be evaluated
  • The number of potential CI/CD pipeline configurations
  • The variation of OS systems and patching levels
  • The limitations of cloud based security systems (AWS wont let you scan)
  • Desktop application scanning
  • Web Application Scanning
  • Mobile Application Scanning
  • Potential integration with multiple code repositories

Again, it's not a bad idea in theory. But taking it to production is a feat that I'm not sure anyone is really ready for at this point.

Connor Peoples
  • 1,421
  • 5
  • 12
  • I'll take a look :) – Connor Peoples Jan 08 '19 at 19:42
  • Last point : once you have developped everything, you will have to handle all the new stuff that came out between the start and the end. Furthermore you also have vulnerabilities that are inherent to the specification of some protocol itself (WPA and the handshake system if I remember well). – Walfrat Jan 11 '19 at 12:47