/ / Application Security Testing, Software Assurance
Application Security Testing, Software Assurance 2017-06-22T10:12:52+00:00

Secure Decisions has built a comprehensive portfolio of R&D and commercially available software tools for application security.

Application Security Threat Attack Modeling

The ASTAM System

ASTAM

The Application Security Threat Attack Modeling (ASTAM) program is a new U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded project to improve the state of software assurance. Its goal is to produce a suite of software, the majority of which will be open-source, to automate many of the resource-intensive processes used to ensure that software is secure. ASTAM will automate the correlation of results from both static and dynamic application security testing tools and parts of the application security threat modeling process. It will include an application attack simulator so that software assurance professionals can adequately assess vulnerabilities on their application’s attack surface, and a central console designed for continuous security monitoring. The finished program will also include improved ways to deploy countermeasures prior or during attacks.

ASTAM will include four separate modules in a Unified Threat Management system. These modules include:

  1. Hybrid Analysis Mapping, which combines both static and dynamic application security testing tools
  2. Application Threat Modeling, which assesses the ways in which applications can be attacked by decomposing the application
  3. Attack Simulation and Countermeasures, which provides tools to automate penetration testing and attack simulation capabilities that identify weaknesses
  4. Continuous Monitoring and Assessment, which provides a continuous monitoring dashboard that visually reports application threats, weaknesses, and vulnerabilities in real-time, and further provides a rapid countermeasure deployment capability to known vulnerabilities using existing network and application security firewalls.

Application Security Testing / Software Assurance

Code Ray

Hybrid Analysis Mapping

Two methods for analyzing software security risks are dynamic application security testing (DAST), an outside-in perspective, and static application security testing (SAST), an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time-consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable.

Correlating the results of SAST and DAST can overcome these individual challenges. Secure Decisions is currently engaged in a DHS-funded Phase II SBIR program entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping, to produce a hybrid analysis method that can be incorporated into Code Dx and into the DHS SWAMP.

The anticipated end result of this R&D program will (1) improve speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic analysis, dynamic tracing, static analysis, and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified risk-management framework. Please review our factsheet to learn more about Code Ray.

Code Ray Presentation
Hybrid analysis
Code Dx Enterprise

Code Dx Enterprise

Software Vulnerability Management System

Code Dx is a software suite that combines and correlates vulnerabilities discovered from separate application security testing tools and techniques. Originally begun as a Small Business Innovation Research project from Department of Homeland Security, Code Dx was first created to fill in the gaps left by using tools individually. Because each application security testing tool and technique only finds a relatively small subset of vulnerabilities, there was a dire need for a solution to ensure maximum attack surface coverage. Rather than attempt to provide an automated testing tool that can only focus on a few types of vulnerabilities, Secure Decisions designed Code Dx to integrate with a wide variety of other tools and techniques, and combine and correlate the results of each in a single, unified interface. Code Dx normalizes the results from multiple tools, techniques, and formats; the end result is a clear, concise view of specific vulnerabilities that are immediately actionable, which is immensely helpful to software security and quality assurance professionals.

After the research period was completed, Secure Decisions successfully transitioned the Code Dx software suite into a commercial product, and spun off a separate company, Code Dx, Inc. to continue support for it. For more information, visit CodeDx.com.

Code Pulse

Penetration testing has proven to be a valuable preventive application security technique. A variety of automated tools and manual approaches are used to assess and expose vulnerabilities in target applications. By definition, black box testing offers little insight into the internals of target applications. Therefore, understanding the code coverage and testing overlap, or perhaps more importantly the coverage boundaries, has often been difficult to ascertain. Secure Decisions has built a free open source tool, Code Pulse, to help overcome these challenges. Code Pulse is a visualization-centric tool that provides insight into the real-time code coverage of black box testing activities. It is a desktop application that runs on most major platforms. Code Pulse has been transitioned into an OWASP project. For more information, please visit the Code Pulse OWASP Project page.

Code Pulse

CWE-Vis

Common Weakness Enumeration Visualization

CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.

Software Assurance Marketplace (SWAMP)

Secure Decisions has developed several professional partnerships and teamed with leaders in the Software Assurance community.

The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014.

SWAMP logo