Achieving Software Assurance with Hybrid Analysis Mapping

2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP

Achieving Software Assurance with Hybrid Analysis Mapping

Denim GroupDan Cornell, CTO

February 17, 2016

§ Denim Group:q Secure software services and products company

§ Builds secure software§ Helps organizations assess and mitigate risk of in-house developed and third party software

§ Team:q Principal Investigator: Dan Cornell

§ Software developer by background§ Software security researcher

q Team: Software engineers trained in software security

Denim Group Team Profile

CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP 32/17/16

§ Software is integral to critical infrastructure§ These days everything actually IS software

§ Software systems have significant vulnerabilities that expose critical infrastructure to exploitation

§ Nation states, organized crime, chaotic actors and other threats target software

Why Software Assurance

§ Static Application Security Testing (SAST)q Testing software “at rest”q Evaluating source code, binary code

§ Dynamic Application Security Testing (DAST)q Testing running softwareq Exercise the software and see how it responds

Software Assurance Testing

§ Major classes of automated analysis have both strengths and weaknesses

§ Individual tools provide limited coverage when used in isolation

§ Hybrid Analysis Mapping: Combining the results of different types of analysis and multiple tools allows for:q Better results triageq More sophisticated analysis

Need for Hybrid Analysis Mapping

62/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP

§ Initial goal: allow for the merging of SAST and DAST application vulnerability scan results

§ Perform code analysis to create an attack surface model for the application q Link with the source code responsible

§ Given DAST and SAST results for a given application: identify matches

Approach


Implementation


§ Manage large amounts of vulnerability data efficientlyq Too many results, not enough analystsq Manual results merge by human analyst no longer requiredq Quickly triage:

§ Likelihood of false positive results§ More severely exposed vulnerabilities

§ Increase value of existing investments in SAST, DAST

§ Emergent benefits:q Improve the quality of analysis

§ Use attack surface model to seed DAST scannersq Increase the speed of remediation

§ Query attack surface model to pinpoint source code location of vulnerabilities

Benefits


Benefits: SAST – DAST Merge


Benefits: DAST Scanner Seeding


Benefits: Line-of-Code Mapping


§ Individual tools do not provide enough insightq Gaps in coverageq Strengths and weaknesses of SAST and DAST when used individually

§ Manually combining results is not feasibleq Extremely time-consumingq Cyber talent shortage

§ Need better tools providing deeper analysisq Combining analysis allows discovery of new vulnerabilities

Market Need


§ HAM technology has been included in Denim Group’s ThreadFix software assurance program management platformq Used by Software Assurance teamsq ThreadFix Community (open source)

§ https://github.com/denimgroup/threadfixq ThreadFix Enterprise (commercial)

§ http://www.threadfix.org/

§ 3200+ downloads§ Working with pilot users

q Financial services, Federal

Transition Activities


§ Running a Software Assurance program?§ Request a demo of ThreadFix

q Software assurance program managementq Incorporating HAM into your program

§ Building Software Assurance tools?§ License HAM technology

q Augment application security testing technologiesq Support IV&V efforts

What Can You Do?

Contact Information

Dan CornellDenim [email protected](210) 572-4400@danielcornell

CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP

2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP

Achieving Software Assurance with Hybrid Analysis Mapping

Technology