Security Analysis
Business Logic Application Security Testing
Comprehensive vulnerability coverage in Corgea
Overview
BLAST (Business Logic Application Security Testing) is Corgea’s next-generation code scanning solution, designed to detect and fix security vulnerabilities in application code, with a particular emphasis on business logic, authentication and code flaws. Unlike traditional Static Application Security Testing (SAST) tools, BLAST uses advanced AI-driven techniques to enhance detection accuracy, reduce false positives, and provide actionable insights for developers and security teams. By leveraging the power of Large Language Models (LLMs) combined with static analysis, BLAST delivers a deeper contextual understanding of code, allowing it to detect vulnerabilities that standard SAST tools might miss. This document provides a technical overview of how BLAST works, what it can detect, and how it integrates into development workflows.Key Features
AI-Enhanced Detection
AI-Enhanced Detection
- Combines the reasoning capabilities of LLMs with static code analysis
- Accurately detects vulnerabilities with contextual understanding
- Identifies both business logic and traditional SAST vulnerabilities
Developer Experience
Developer Experience
- Low false positive rate reduces noise in scanning results
- Actionable insights with clear explanations
- Seamless integration with CI/CD pipelines and pull requests
Security Coverage
Security Coverage
- Comprehensive secret scanning across codebases
- Detection of hardcoded credentials and sensitive data
- Business logic vulnerability detection
Vulnerability Classes Detected
BLAST excels at detecting business logic vulnerabilities, which are often missed by traditional SAST tools. Below are some of the specific vulnerabilities detected by BLAST:Business Logic and Code Flow
Business Logic and Code Flow
- Business Logic Vulnerabilities (CWE-840): Flaws that allow users to manipulate or bypass critical processes
- Code Logic Vulnerabilities (CWE-633): Errors in conditions or loops leading to unexpected behavior
- Context Dependent Vulnerabilities (CWE-696): Time-based or state-dependent errors
- Race Conditions (CWE-362): Uncontrolled timing/ordering of operations
- Timing Attacks (CWE-208): Time-based information leaks
Authentication and Authorization
Authentication and Authorization
Data Handling and Storage
Data Handling and Storage
- Unhygienic Data Handling (CWE-20): Poor input validation
- Insecure Data Storage (CWE-311): Weak encryption or plaintext storage
- Sensitive Data Exposure (CWE-200): Information leaks
- Hardcoded Secrets (CWE-798): Embedded credentials
Error Management
Error Management
- Improper Error Handling (CWE-209): Information leaks in error messages
- Improper Logging (CWE-532): Sensitive data in logs
- Improper Exception Handling (CWE-248): Security risks from poor exception management
Malicious Code Detection
Malicious Code Detection
- Malicious Code (CWE-506): Unauthorized harmful actions
- Backdoors (CWE-288): Hidden access mechanisms
- Time Bombs (CWE-511): Triggered malicious actions
- Obfuscation (CWE-116): Suspicious code complexity
Privacy & Resources
Privacy & Resources
- Data Exfiltration (CWE-319): Unauthorized data transmission
- Unethical Data Collection (CWE-359): Improper data gathering
- Malicious Network Activity (CWE-293): Suspicious connections
- Crypto Mining (CWE-400): Unauthorized resource usage
Secret Scanning Capabilities
BLAST’s secret scanner uses pattern matching, entropy analysis, and AI-powered contextual understanding to minimize false positives while ensuring comprehensive coverage.Detected Secret Types
- API keys and tokens (AWS, Google Cloud, Azure, etc.)
- Authentication credentials
- Database connection strings
- Private keys and certificates
- OAuth tokens
- Personal access tokens
- Encryption keys
- Environment variables
- Internal endpoints
- Payment credentials
When secrets are detected, BLAST provides detailed information about the type, location, security impact, and secure storage alternatives.
Technology Behind BLAST
BLAST is powered by Corgea’s proprietary CodeIQ technology, combining AI with Abstract Syntax Trees (ASTs) for comprehensive analysis:1
Project-Level Analysis
BLAST parses the entire project to build a complete picture of code component interactions, ensuring no vulnerabilities are missed.
2
Contextual Intelligence
The AI engine understands code context, including middleware, configurations, and templates.
3
False Positive Reduction
Context and logic understanding reduces false positives common in traditional tools.
Comparison to Traditional Methods
Traditional static analysis techniques have significant limitations:
- Source-sink analysis misses validation steps
- Call-graphs miss runtime behaviors
- Vector search and RAG suffer from overgeneralization
Integration and Workflow
Integration Points
- CI/CD Pipelines: Automatic scanning at commits/PRs
- Pull Request Reviews: Pre-merge vulnerability analysis
- IDE Integration: Real-time feedback during development
Supported Languages and Frameworks
- C#
- Python
- Ruby
- Go
- JavaScript
- TypeScript
- Java