Why is this significant?
JSA may very well be the only technology available today that can effectively catch these types of issues.
But JSA is also really interesting from a technology standpoint. It is perhaps the first real implementation of Hybrid Scanning -- bringing together the advantages of the white-box and black-box methodologies, while overcoming their weaknesses. For the first time ever, you have black-box and static analysis working TOGETHER, in a single product, in the same scan.
If you think it's just two components lumped together, with aggregated results -- think again. JSA is distinctly hybrid. It is static analysis feeding off of information that could ONLY be collected dynamically. This gives JSA a huge advantage over any other solution that is either only purely black-box and purely static analysis.
The best example of this is how JSA uses String Analysis to automatically eliminate false positive reports. Without getting too technical, String Analysis allows tracking potential string values in a program. This allows very powerful reasoning about the kind of exploits that a potential attacker can or cannot do.
So what's hybrid about this? Well, the unique String Analysis implementation in JSA feeds off of actual page URLs, collected during crawling. Feeding on such accurate and concrete information from the live, running application, allows JSA to eliminate virtually almost all of the non-exploitable reports. We thoroughly reviewed and manually classified the results for hundreds of real-world sites, to know that JSA produces less than 10% false positives. How many static analysis tools can match that?
JSA is also incredibly easy to run. There is no configuration. It's fast, it's responsive, it's accurate. It just works.
You see the theme here. We are trying to create tools that mere mortals can be successful with. It's really hard to make something complicated appear simple, but that's how I perceive my job.
What do you think? Leave a comment with your thoughts.