| title | description |
|---|---|
Business Logic Application Security Testing (Private Beta) |
Comprehensive vulnerability coverage in Corgea |
BLAST is currently in private beta and is not enabled by default. If you're interested in participating in the beta, please reach out to our support team for more details.
BLAST (Business Logic Application Security Testing) is Corgea's next-generation code scanning solution, designed to detect and fix security vulnerabilities in application code, with a particular emphasis on business logic, authentication and code flaws. Unlike traditional Static Application Security Testing (SAST) tools, BLAST uses advanced AI-driven techniques to enhance detection accuracy, reduce false positives, and provide actionable insights for developers and security teams.
By leveraging the power of Large Language Models (LLMs) combined with static analysis, BLAST delivers a deeper contextual understanding of code, allowing it to detect vulnerabilities that standard SAST tools might miss. This document provides a technical overview of how BLAST works, what it can detect, and how it integrates into development workflows.
- Combines the reasoning capabilities of LLMs with static code analysis - Accurately detects vulnerabilities with contextual understanding - Identifies both business logic and traditional SAST vulnerabilities - Low false positive rate reduces noise in scanning results - Actionable insights with clear explanations - Seamless integration with CI/CD pipelines and pull requests - Comprehensive secret scanning across codebases - Detection of hardcoded credentials and sensitive data - Business logic vulnerability detectionBLAST excels at detecting business logic vulnerabilities, which are often missed by traditional SAST tools. Below are some of the specific vulnerabilities detected by BLAST:
- **Business Logic Vulnerabilities (CWE-840)**: Flaws that allow users to manipulate or bypass critical processes - **Code Logic Vulnerabilities (CWE-633)**: Errors in conditions or loops leading to unexpected behavior - **Context Dependent Vulnerabilities (CWE-696)**: Time-based or state-dependent errors - **Race Conditions (CWE-362)**: Uncontrolled timing/ordering of operations - **Timing Attacks (CWE-208)**: Time-based information leaks - **Insecure Authentication (CWE-287)**: Missing MFA or insecure token management - **Insecure Authorization (CWE-285)**: Weak access controls - **Improper Session Management (CWE-384)**: Session ID mismanagement - **Unhygienic Data Handling (CWE-20)**: Poor input validation - **Insecure Data Storage (CWE-311)**: Weak encryption or plaintext storage - **Sensitive Data Exposure (CWE-200)**: Information leaks - **Hardcoded Secrets (CWE-798)**: Embedded credentials - **Improper Error Handling (CWE-209)**: Information leaks in error messages - **Improper Logging (CWE-532)**: Sensitive data in logs - **Improper Exception Handling (CWE-248)**: Security risks from poor exception management - **Malicious Code (CWE-506)**: Unauthorized harmful actions - **Backdoors (CWE-288)**: Hidden access mechanisms - **Time Bombs (CWE-511)**: Triggered malicious actions - **Obfuscation (CWE-116)**: Suspicious code complexity - **Data Exfiltration (CWE-319)**: Unauthorized data transmission - **Unethical Data Collection (CWE-359)**: Improper data gathering - **Malicious Network Activity (CWE-293)**: Suspicious connections - **Crypto Mining (CWE-400)**: Unauthorized resource usageIn addition to business logic vulnerabilities, BLAST can also detect common security flaws found in regular SAST scanning.
BLAST's secret scanner uses pattern matching, entropy analysis, and AI-powered contextual understanding to minimize false positives while ensuring comprehensive coverage.
- API keys and tokens (AWS, Google Cloud, Azure, etc.)
- Authentication credentials
- Database connection strings
- Private keys and certificates
- OAuth tokens
- Personal access tokens
- Encryption keys
- Environment variables
- Internal endpoints
- Payment credentials
When secrets are detected, BLAST provides detailed information about the type, location, security impact, and secure storage alternatives.
BLAST is powered by Corgea's proprietary CodeIQ technology, combining AI with Abstract Syntax Trees (ASTs) for comprehensive analysis:
BLAST parses the entire project to build a complete picture of code component interactions, ensuring no vulnerabilities are missed. The AI engine understands code context, including middleware, configurations, and templates. Context and logic understanding reduces false positives common in traditional tools. Traditional static analysis techniques have significant limitations: - Source-sink analysis misses validation steps - Call-graphs miss runtime behaviors - Vector search and RAG suffer from overgeneralization - **CI/CD Pipelines**: Automatic scanning at commits/PRs - **Pull Request Reviews**: Pre-merge vulnerability analysis - **IDE Integration**: Real-time feedback during development - C# - Python - Ruby - Go - JavaScript - TypeScript - Java - .NET - Django - Ruby on Rails - Node.js - Spring - Flask - And more...