Visualization system correlates vulnerabilities from multiple software analysis tools to improve software security.
NORTHPORT, NY, November 18, 2010 – Researchers from Secure Decisions, a division of Applied Visions, Inc. and developer of visual analytic tools for cyber defense, presented “Visual Analysis of Code Security” at the 7th International Symposium on Visualization for Cyber Security (VizSec 2010). The symposium draws researchers and practitioners in information visualization and security and focuses on new visualization techniques to solve cyber security problems. This year VizSec was held in Ottawa, Canada on September 14th.
The paper, authored by Dr. John Goodall, Hassan Radwan, and Lenny Halseth, describes a software assurance visualization system that visually correlates the output of multiple software analysis tools to better identify vulnerabilities in software code. The researchers discuss how the prototype performed in compiling and visualizing the results of three software analysis tools run against a version of Apache Tomcat, resulting in ~34,000 detected vulnerabilities. Among the benefits cited from using the visualization system were:
– Improved understanding of the application’s overall security issues,
– Increased vulnerability detection with fewer false positives, and
– Better assessment of the most critical vulnerabilities.
The software assurance visualization prototype was developed under a Small Business Innovation Research award from the Department of Homeland Security (DHS). The project was conceived to address what DHS and the National Security Agency (NSA) has identified as key sources of cyber security issues. As Douglas Maughan, DHS Cyber Security Program Manager, states in The need for a national cybersecurity R&D agenda, “poorly written software is the root of all of our security problems.” While software analysis tools are available, none alone have been capable of finding all the vulnerabilities. Kris Britton, Technical Director at NSA, adds in Government Computer News “No tool stands out as an uber-tool. Each has its strengths and weaknesses.”
Secure Decisions is committed to continuing its efforts to advance its visualization tool for improved software assurance. Planned initiatives include integrating more open-source and commercial software analysis and development tools, such as source code management and issue tracking, to streamline the development process while optimizing code security.
To learn more about the annual VizSec symposium, visit VizSec.org.
Proceedings of VizSec2010, including Secure Decisions paper ‘Visual analysis of code security’, published by the Association of Computing Machinery, are available from ACM’s Digital Library at http://portal.acm.org.
Douglas Maughan’s DHS report ‘The need for a national cybersecurity R&D agenda’, is also available from ACM’s Digital Library at http://portal.acm.org.
The Government Computer News article that reports on NSA’s study of the effectiveness of vulnerability assessment tools is at http://gcn.com/Articles/2007/03/18/All-for-one-but-not-one-for-all.aspx.
About Applied Visions and Secure Decisions
Applied Visions, Inc. (AVI) provides software products, custom solutions, and advanced technology research for commercial and government customers. The company’s vision and expertise in visual software solutions for complex defense, national security, and business problems have served AVI’s customers in the Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, and prominent technology and Fortune 500 firms. Founded in 1987, AVI is based in Northport, NY, and has secure facilities and clearances to support classified government programs.
Secure Decisions was launched by AVI in 2000 to focus on cyber security research and products for the government. Today, Secure Decisions is a leader in security visualization, with an established track record of R&D contracts and product development. Secure Decisions’ products are used to enhance the situational awareness of senior officers, computer network defenders and other security professionals in government and commercial organizations. SecureScope®, VIAssist™, and MeerCAT® are among Secure Decisions’ extensive portfolio of cyber defense solutions.
For more information, please visit avi.com and securedecisions.avi.com.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective parties.