Software Assurance

Code Dx

Secure Decisions’ Visual Analysis Tool visualizes and correlates weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. The tool is aligned with the emerging concept of a vendor-agnostic Software Assurance ecosystem. The Visual Analysis Tool’s multi-faceted visualizations provide investigative flexibility to pinpoint high priority problem areas within the analyzed codebases. SDLC integration is automated to augment the analysis with weakness traceability as well as significantly speed-up remediation by automating issue-creation and tracking.

 

Code Pulse

Code Pulse

Secure Decisions is bringing dynamic traces to static analysis workflows. We’re calling this project Code Pulse and the technique is Dynamic augmented static source analysis. By definition, static source code analysis tools have limited insight into the runtime behavior of the code they are analyzing. However, the exploitability of an application ultimately depends on how it behaves during execution. By ignoring execution context during static analysis the burden of determining the relevance and priority of identified weaknesses is shouldered by the users wading through the voluminous results. Code Pulse fuses dynamic traces with static source code analysis for efficient and effective vulnerability analysis by focusing the prioritization and remediation of static software analysis results. For more information view the Code Pulse Datasheet.

Code Ray

Code Ray
 
Two methods for analyzing software security risks are dynamic application security testing (DAST) – an outside-in perspective – and static application security testing (SAST) – an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable.

Correlating the results of SAST and DAST can overcome these individual challenges. Secure Decisions is currently engaged in a DHS-funded Phase I SBIR program entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping, to produce a hybrid analysis method that can be incorporated into Code Dx and into the DHS SWAMP.

The anticipated end result of this R&D program will (1) improve speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic analysis, dynamic tracing, static analysis, and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified risk-management framework.

 
CWE-Vis

Common Weakness Enumeration Visualization (CWE-Vis)

CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.

Software Assurance Marketplace (SWAMP)

The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014. To learn more please visit the SWAMP site.

 SATE V

The fifth occurrence of the (almost) annual Static Analysis Tool Exposition (SATE) is underway. Run by NIST, this year’s tool exposition is currently in its planning stages and will run through the end of the year. Static analysis tool vendors run their tools on prepared test data sets to demonstrate the utility of their tools on real-world projects as well as help advance the overall state-of-the-art by providing large data sets for empirical research. To learn more please visit the SATE V site.