Legacy code analysis tools use signatures or rules to find technical vulnerabilities such as SQL injection (SQLi) and cross-site scripting (XSS) because the conditions that cause these vulnerabilities are common to any code base. Ocular helps find business logic and technical vulnerabilities unique to your application, by enabling the analyst to write their own custom queries.
Ocular enables you to query your applications’ Code Property Graphs. Ocular is a scala-based read-eval-print-loop (REPL) tool to traverse the graph. For example, Ocular enables you to query for all the sources and sinks of a critical data variable. It can list every transform on each route to ensure that data is always handled properly and never leaking to a logger.
Business logic flaws are application and business domain specific vulnerabilities that result from faulty application logic.
Ocular helps identify usernames, passwords, tokens and other secrets that have been hard-coded into source code.
Ocular enables code auditors to build custom queries that ensure authentication is consistent and appropriately applied across the application. Ocular helps identify flaws such as authentication bypass, insufficient process validation or indirect object reference & more.
Ocular understands all routes of information flows in applications. This enables code auditors to query all sources, all sinks and all transformations to confirm critical data is always handled properly. Furthermore, Ocular’s understanding of routes includes custom code, open source libraries, SDKs, APIs and microservices.
Ocular enables code auditors to leverage their knowledge of business logic to quickly identify symptoms of insider threats such as rootkits, backdoors and logic bombs.
Ocular queries can be saved as policies that are automatically inserted into the SDLC via either pull requests or build tool. This ensures that developers get immediate feedback on vulnerabilities and, once identified, vulnerabilities are not re-introduced,
Ocular ships with out-of-the-box query templates to find business logic flaws, technical vulnerabilities, and sensitive data leaks. These templates require minimal customization to detect backdoors, time bombs, malicious code, privilege escalations, authorization bypasses, rootkits, insider attacks and numerous other flaws in your application.
Custom code is often less than 20% of an application - modern applications are increasingly reliant on external code for non-differentiating features. Simply matching version strings of dependencies to CVE lists is not efficient since it doesn’t take into account how the dependency is actually used and whether the CVE is reachable. Ocular works across the entire application stack including custom code, frameworks, open source, 3rd party dependencies, and APIs.Learn More
Ocular integrates with all major code repos and CI systems and can run queries on your application as part of the development cycle. Security teams can define organization wide policies and these can be automatically enforced for every single product update. Ocular also helps with regression testing and ensuring that old vulnerabilities are not re-introduced.
Logos from the top CI tools, code repositiories and trouble ticketing tools such as: