Secure Decisions’ Visual Analysis Tool visualizes and correlates weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. The tool is aligned with the emerging concept of a vendor-agnostic Software Assurance ecosystem. The Visual Analysis Tool’s multi-faceted visualizations provide investigative flexibility to pinpoint high priority problem areas within the analyzed codebases. SDLC integration is automated to augment the analysis with weakness traceability as well as significantly speed-up remediation by automating issue-creation and tracking.
Secure Decisions is exploring the potential of bringing dynamic traces to static analysis workflows. We’re calling this project Code Pulse and the technique as Dynamic augmented static source analysis. By definition, static source code analysis tools have limited insight into the runtime behavior of the code they are analyzing. However, the exploitability of an application ultimately depends on how it behaves during execution. By ignoring execution context during static analysis the burden of determining the relevance and priority of identified weaknesses is shouldered by the users wading through the voluminous results. Code Pulse fuses dynamic traces with static source code analysis for efficient and effective vulnerability analysis by focusing the prioritization and remediation of static software analysis results.
Common Weakness Enumeration Visualization (CWE-Vis)
CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.
Software Assurance Marketplace (SWAMP)
The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014. To learn more please visit the SWAMP site.
The fifth occurrence of the (almost) annual Static Analysis Tool Exposition (SATE) is underway. Run by NIST, this year’s tool exposition is currently in its planning stages and will run through the end of the year. Static analysis tool vendors run their tools on prepared test data sets to demonstrate the utility of their tools on real-world projects as well as help advance the overall state-of-the-art by providing large data sets for empirical research. To learn more please visit the SATE V site.