Be one step ahead of the hostiles

Security Champion / Auditor / White Box Pentester

The YAG-Suite augmented code investigation : a "best effort" approach to support code reviews and unique features to detect complex vulerabilities

The innovative technology developed by YAGAAN extracts numerous characteristics from the code that have an impact on security and contextualizes the analyses to provide security champions with unprecedented features for automatic qualification of warnings, customization of detection rules and decision making support.

Auditors and white box pentesters, always forgotten by code analysis tools, benefit from the YAG-Suite's unique assistance functionalities dedicated to unknown applications discovery, focused code exploration as well as to complex investigations. They gain a comprehensive and customized application coverage for discovering its risky code areas and will prevent anything from 'falling through the net'.

Teams who are taking over applications third party maintenance will also get great benefit out of it !

Automated mapping of the application features.

Reduce discovery time for unknown applications with symptoms mapping

The YAG-Suite not only detects the vulnerabilities but also scans numerous code properties, that we call ‹ symptoms › which may have positive or negative impacts on the application security. These security related symptoms contribute to the discovery of vulnerabilities but also to the characterization of operating environments and associated risks.

You thus have access to a summarized view of the application's behavior, allowing you to quickly grasp the issues that require specific attention during the code security analysis.

Risk assessment view to focus remediation efforts on the most critical warnings.

Focus your expertise on the most critical vulnerabilities first, based on risks

In the audit center, vulnerabilities are automatically qualified by comparing the context of each warning causes with a knowledge base. The resulting qualification provides you with decision making information such as a likelihood score, which shows how likely is the warning to be a true or a false positive, and the warning's CVSS score which depicts in a standardised way how critical would be the vulnerability in case it is exploited by an hostile, and which is calculated for each individual warning, based on its context. If needed, you can refine and customize this risk assessment by providing additionnal training to the knowledge base.

With this innovative contextualized approach, you benefit from a prioritized action plan and focus efforts on the most critical issues first and avoid spending time on the least relevant warnings.

Code mining to spot the vulnerable entry points.

Quickly spot the vulnerable entry points

With the Audit Center's code mining capabilities, you can find where are located the application entry points and easily spot the associated potential vulnerabilities in the called code.

The unique call graph querrying features offered by the Audit Center, augmented with filtering capabilities through simple querries, assist you in fast and comprehensive extraction of the vulnerable entry points as well as to produce concrete attacks simulations to validate on the deployed application.

Code mining to customize expert specific investigations.

Benefit from code mining to assist the expert's customized investigations

The Audit Center provides advanced features to ease and speed up the manual investigation steps.

Based on the comprehensive detection of symptoms, which include code smells, you benefit from a queryable mapping of the application's features. It supports you in focusing investigations on specific properties, be they individual or a custom selection of interest. The code navigation features also augment your investigations with semantic information that the YAG-Suite automatically detects. It is even possible to track and filter the influence of any data in the entire application !

Example of a graphically editable detector.

Customize the YAG-Suite to the application specificities

The repository of rules analyzed during a scan is easily customizable and does not require the understanding of a complex rule writing SDK. There are different types of detectors that allow you to easily add support for application-specific frameworks, express naming conventions, or even create your own vulnerability detectors.