Software Assurance

Code Dx

Secure Decisions’ Visual Analysis Tool visualizes and correlates weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. The tool is aligned with the emerging concept of a vendor-agnostic Software Assurance ecosystem. The Visual Analysis Tool’s multi-faceted visualizations provide investigative flexibility to pinpoint high priority problem areas within the analyzed codebases. SDLC integration is automated to augment the analysis with weakness traceability as well as significantly speed-up remediation by automating issue-creation and tracking.

 

Code Pulse

Code Pulse

Penetration testing has proven to be a valuable preventative application security technique. A variety of automated tools and manual approaches are used to assess and expose vulnerabilities in target applications. By definition, black box testing offers little insight into the internals of target applications. Therefore understanding the code coverage and testing overlap, or perhaps more importantly the coverage boundaries, has often been difficult to ascertain. Secure Decisions has built an open source tool, Code Pulse, to help overcome these challenges. Code Pulse is a visualization-centric tool that provides insight into the real-time code coverage of black box testing activities. It is a desktop application that runs on most major platforms. Code Pulse is an OWASP project. For more information, please visit the Code Pulse OWASP Project page.
 

Code Ray

Code Ray
 
Two methods for analyzing software security risks are dynamic application security testing (DAST) – an outside-in perspective – and static application security testing (SAST) – an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable.

Correlating the results of SAST and DAST can overcome these individual challenges. Secure Decisions is currently engaged in a DHS-funded Phase I SBIR program entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping, to produce a hybrid analysis method that can be incorporated into Code Dx and into the DHS SWAMP.

The anticipated end result of this R&D program will (1) improve speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic analysis, dynamic tracing, static analysis, and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified risk-management framework.

 
CWE-Vis

Common Weakness Enumeration Visualization (CWE-Vis)

CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.

Software Assurance Marketplace (SWAMP)

The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014. To learn more please visit the SWAMP site.

 SATE V

The fifth occurrence of the (almost) annual Static Analysis Tool Exposition (SATE) is underway. Run by NIST, this year’s tool exposition is currently in its planning stages and will run through the end of the year. Static analysis tool vendors run their tools on prepared test data sets to demonstrate the utility of their tools on real-world projects as well as help advance the overall state-of-the-art by providing large data sets for empirical research. To learn more please visit the SATE V site.