Shauli Zacks
Published on: January 9, 2025
SafetyDetectives recently had the privilege of interviewing Dan Chernov, the CEO and creator of DerScanner. With a background in cybersecurity consulting and a passion for innovation, Dan has dedicated his career to developing cutting-edge solutions for application security. DerScanner is a comprehensive platform that integrates multiple security testing methodologies to address the complex and evolving challenges of modern software development. In this insightful interview, Dan shares the journey behind DerScanner, the importance of a multifaceted approach to security, and his predictions for the future of application security.
To start, can you tell us a bit about your background and what led to you inventing DerScanner?
My name is Dan, and I have a degree in cybersecurity. I began my career as a cybersecurity consultant, earning global certifications like Chief Information Systems Auditor (CISA) by ISACA and Certified Information Systems Security Professional (CISSP) by (ISC)². My work involved conducting cybersecurity audits, including ISO 27001 evaluations, and assessing companies’ technical security across the United States, Europe, the Middle East, and the APAC region.
Around ten years ago, I noticed a growing demand for application security and began incorporating application security audits into our portfolio. Initially, we performed these audits manually, using scripts and standalone tools we created to assist with assessments and reporting. However, we found that existing application tools didn’t fully meet customer demands. Recognizing this gap, we decided to consolidate our assets into a single product. Our mission was clear: to provide a scientifically powered platform for application security that wasn’t just marketing fluff but truly rooted in scientific rigor. The key algorithms in DerScanner are based on my scientific research, covered by a U.S. patent, and designed for delivery as both on-premises software and SaaS.
DerScanner combines multiple security testing methodologies, like SAST, DAST, and SCA. From your perspective, how do these methods complement each other, and why is it important for companies to implement a multifaceted security approach?
Application security isn’t just a tool or a process; it’s a culture and a lifestyle. Imagine someone trying to get fit—working out alone won’t suffice if their eating habits aren’t aligned. Similarly, application security requires a combination of methodologies to be effective.
DerScanner incorporates SAST (Static Application Security Testing) to identify vulnerabilities in the code as soon as it’s developed. For instance, when a new piece of code is submitted to the repository, our system performs an incremental scan and delivers results using a shift-left approach. This ensures issues are caught early.
Modern development also relies heavily on third-party libraries, which introduces supply chain risks. Our SCA (Software Composition Analysis) model assesses these libraries, identifying vulnerabilities, license risks, and dependency trees. This helps organizations understand the risks tied to the components they’re integrating.
DAST (Dynamic Application Security Testing) adds another layer by testing applications in live environments. It simulates ethical hacking attacks under different conditions, providing insights into the application’s real-world resilience. These methodologies complement each other by correlating vulnerabilities found across different stages of development and testing, offering a comprehensive view of risks. Together, they form a “full house” of application security.
Given the increasing focus on supply chain security, how is DerScanner addressing these concerns, and why do you think supply chain vulnerabilities have become such a significant threat today?
Supply chain vulnerabilities are a popular entry point for hackers because they bypass traditional perimeter defenses. Over the past few decades, organizations have strengthened their perimeters, making direct attacks less effective. However, developers often integrate third-party components to speed up development and reduce costs, unintentionally introducing risks.
Hackers exploit this by compromising these components, embedding threats that infiltrate systems undetected. Classic SCA tools often miss vulnerabilities, especially zero-day exploits. To counter this, DerScanner employs an AI-driven engine to continuously scan repositories like GitHub. We assess metrics such as library popularity, author history (e.g., involvement in malicious activity), community engagement, and recent updates. These factors contribute to a security score ranging from 0 to 5, helping users make informed decisions about which libraries to trust.
As our commitment to community we offer a free of charge service for preventing supply chain risks and picking up safe package for your projects https://healthypackage.ai/ The scoring systme works pretty similar to the commercial version SCA in DerScanner but it’s a great starting point for your open source security journey.
Application security is a dynamic and fast-evolving field. What emerging trends or challenges do you see on the horizon, and how should companies start preparing for these shifts?
The volume of developed code is growing exponentially, and with AI-powered tools entering the scene, this growth is accelerating. AI allows developers to generate code quickly, but security often takes a backseat. AI prioritizes speed and results based on user prompts, with little regard for security. In the coming years, we anticipate an increase in attacks targeting AI-generated code and the platforms delivering it. Attackers will attempt to manipulate these systems, injecting vulnerabilities that compromise security.
Organizations must prepare by embedding robust application security practices into their development processes. Building a culture of security is essential to mitigate the risks associated with AI-driven development and the increasing complexity of supply chains.
Looking ahead, what are some key areas where you see DerScanner or similar security solutions making a lasting impact on the industry in the next five years?
We position DerScanner as a solution for pragmatic teams, the ones who don’t want to compamise on security but make a smart purchasing decision. DerScanner works best for the companies who consider privacy and full control over their deployments that is very rare nowadays when the majority of solutions are cloud-only. DerScanner is proud to keep taking care about the teams that use both modern and historically significant progamming languages (up to 43 languages in total are now supported). So you can secure modern and even legacy applications.
We’re expanding DerScanner’s capabilities beyond security to address code quality. In addition to identifying vulnerabilities, our platform will offer recommendations to improve code quality, making it smoother, more reliable, and easier to maintain. Our R&D teams are also exploring new AI-driven approaches to provide actionable insights and optimize code development. By focusing on both security and quality, we aim to set a new standard for comprehensive application development solutions.
