Software Assurance, Application Security Testing and Hybrid Analysis Mapping
Secure Decisions maintains a comprehensive portfolio of professionally developed software tools for use within the Software Assurance / Application Security Testing community:
The Application Security Threat Attack Modeling (ASTAM) program is an open source system that automates and guides vulnerability management for web application security professionals. ASTAM, currently under development, will provide tools to detect and confirm vulnerabilities early in the development process (while they remain simpler and less expensive to address), and allow continuous monitoring for security threats throughout the software development lifecycle.
ASTAM will include four separate modules into a Unified Threat Management system, viewable and usable from a single console. These modules include Hybrid Analysis Mapping (HAM), which combines both static and dynamic application security testing tools; Application Threat Modeling (ATM), which assesses the ways in which applications can be attacked by decomposing the application; Attack Simulation and Countermeasures (ASC), which provides tools to automate penetration testing and attack simulation capabilities that identify weaknesses; and Continuous Monitoring and Assessment (CMA), which provides a continuous monitoring dashboard that visually reports application threats, weaknesses, and vulnerabilities in real-time, and further provides a rapid countermeasure deployment capability to known vulnerabilities using existing network and application security firewalls.
Secure Decisions’ Visual Analysis Tool visualizes and correlates weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. The tool is aligned with the emerging concept of a vendor-agnostic Software Assurance ecosystem. The Visual Analysis Tool’s multi-faceted visualizations provide investigative flexibility to pinpoint high priority problem areas within the analyzed codebases. SDLC integration is automated to augment the analysis with weakness traceability as well as significantly speed-up remediation by automating issue-creation and tracking. For detailed information about Code Dx, visit www.CodeDx.com.
Penetration testing has proven to be a valuable preventative application security technique. A variety of automated tools and manual approaches are used to assess and expose vulnerabilities in target applications. By definition, black box testing offers little insight into the internals of target applications. Therefore understanding the code coverage and testing overlap, or perhaps more importantly the coverage boundaries, has often been difficult to ascertain. Secure Decisions has built a free open source tool, Code Pulse, to help overcome these challenges. Code Pulse is a visualization-centric tool that provides insight into the real-time code coverage of black box testing activities. It is a desktop application that runs on most major platforms. Code Pulse is an OWASP project. For more information, please visit the Code Pulse OWASP Project page.
Two methods for analyzing software security risks are dynamic application security testing (DAST) – an outside-in perspective – and static application security testing (SAST) – an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable.
Correlating the results of SAST and DAST can overcome these individual challenges. Secure Decisions is currently engaged in a DHS-funded Phase II SBIR program entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping, to produce a hybrid analysis method that can be incorporated into Code Dx and into the DHS SWAMP.
The anticipated end result of this R&D program will (1) improve speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic analysis, dynamic tracing, static analysis, and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified risk-management framework. Please review our datasheet to learn more about Code Ray.
CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.
Secure Decisions has developed several professional partnerships and teamed with leaders in the Software Assurance community:Software Assurance Marketplace (SWAMP)
The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014. To learn more please visit the SWAMP site.
The fifth occurrence of the (almost) annual Static Analysis Tool Exposition (SATE) is underway. Run by NIST, this year’s tool exposition is currently in its planning stages and will run through the end of the year. Static analysis tool vendors run their tools on prepared test data sets to demonstrate the utility of their tools on real-world projects as well as help advance the overall state-of-the-art by providing large data sets for empirical research. To learn more please visit the SATE V site.