On Aug 15, 2020, at 3:28 AM, Sergey Toshin <sto...@oversecured.com> wrote:
Hello everyone! I'm a founder of Oversecured Inc (https://oversecured.com/), a startup focused on automated mobile app vulnerability scanning. Currently, we're providing only scans for Android apps (APK files). I'd like to add it to this list https://owasp.org/www-community/Source_Code_Analysis_Tools.I'm ready to answer any questions the community has. I would also invite everyone interested in Android security to view Oversecured's blog and read posted technical articles (https://blog.oversecured.com/), check out the list of vulnerabilities (https://oversecured.com/vulnerabilities), and the sample report posted on the landing page. You can use the opportunity to scan 5 Android apps for free using Oversecured service.Thanks!--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-mobile-top-10-risks/8e34b811-7b9a-4001-b52e-c6756ddb7b67n%40owasp.org.
On Aug 15, 2020, at 8:03 AM, Sergey Toshin <sto...@oversecured.com> wrote:
Hi Jim, this is not an announcement. The list of tools https://owasp.org/www-community/Source_Code_Analysis_Tools contains multiple commercial scanners. The policy says:> If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.So maybe you recommend a correct OWASP mailing list where I can ask to place Oversecured to the list of tools? Thanks!
On Aug 15, 2020, at 8:51 AM, Sergey Toshin <sto...@oversecured.com> wrote:
Thanks for letting me know. But is that the correct place where I can ask to be added to https://owasp.org/www-community/Source_Code_Analysis_Tools?
On Aug 15, 2020, at 9:45 AM, Sergey Toshin <sto...@oversecured.com> wrote:
Sorry, that was my first post to the OWASP forums, the lesson is learned!Oversecured -- a static SaaS-based scanner for Android apps. It accepts only APK files from users and gives back a report that could be downloaded as a PDF (entirely, or with applied filters). It decompiles APKs to Java sources and performs analysis against them (so it doesn't matter Kotlin or Java or both were used to write the app). The list of vulnerabilities (https://oversecured.com/vulnerabilities) corresponds to OWASP Top 10 and CWE categories. It doesn't differ app sources and used libraries, a scan report will contain vulnerabilities from both parts. A scan takes from a few seconds and up to a few hours, really depends on an app (the most of scans are finished within 10 mins). It doesn't have an OWASP Benchmark score, but the rate of False Positives is subjectively very low. Also doing the best to find 100% of Java-specific vulnerabilities (the scanner doesn't scan native libraries at all).Some of the features:- supports the following input sources of dangerous data: third-party apps (inter-component communications), public storage (SD card), deeplinks, network/webviews, public content providers, Bluetooth/NFC/SMS, UI inputs, all deserializable objects, etc- cross-component data tracking (e.g. from an exported activity to a not exported service)- supports vulnerability detection during deserialization (for Serializable, Externalizable, Parcelable classes)- a big number of Android-specific vulnerability categoriesThe first 5 scans are free to all users, after $10 per scan. Companies that own an app also can integrate the scanner into their SDLC and scan each new version of the app. The cost will depend on the app category and number of installs.Hope it helps.
Oh okay, now I know the process
Summary: A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Also allows integrations into DevOps processes.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-mobile-top-10-risks/45baa583-8bc3-44b6-88b6-ada5a6028916n%40owasp.org.
On Aug 16, 2020, at 10:59 AM, Erez Yalon <erez....@gmail.com> wrote: