Division of Applied Visions, Inc. to continue development of a software assurance risk management framework for supporting static and dynamic code analysis to help secure software developed for government, industry and academia.
NORTHPORT, New York, March 14, 2014– Secure Decisions, a division of Applied Visions and developer of visual analytic tools for cyber security, has received a Small Business Innovative Research (SBIR) Phase II award from the US Department of Homeland Security (DHS) to improve the security of software applications. Under this DHS Science & Technology (S&T) Directorate contract, Secure Decisions will continue development of the Code Ray™ software assurance risk management framework, to correlate the results of static and dynamic software analysis tools towards the goal of improving software vulnerability detection. The Code Ray technology will be incorporated into and extend Secure Decisions’ current Code Dx™ static source code analysis product. At the heart of the Code Ray technology is Secure Decisions’ dynamic tracing capability called Code Pulse™, which was funded under a prior effort to aid penetration testing of software applications, by DHS S&T Cyber Security Division BAA 11-02.
About Code Ray
Under a 24-month Phase II software development initiative, the Code Ray technology will be developed and matured as a software assurance risk management and visualization framework to help software developers, security analysts, and quality assurance engineers better identify and remediate software vulnerabilities within developed code bases. The tool will improve the analysis speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic application security testing (DAST) with static application security testing (SAST).
Using the DAST-to-SAST merged results, Code Ray will map and prioritize the correlated findings to selected industry security standards, such as FISMA, HIPAA, MISRA and PCI to help consumers understand and communicate the relevance and risks of software vulnerabilities to these widely recognized compliance standards.
“Hybrid application security testing, also known as HAST, will soon become a best practice approach in finding and remediating software vulnerabilities. It combines the value of dynamic and static techniques to expose the vulnerabilities software applications that are most exposed and visible to potential attackers,” said Mr. Kevin Greene, the Software Assurance program manager at DHS, S&T.
As the Code Ray technology matures, it will be added to Secure Decisions current software assurance product Code Dx™ to provide a more robust software assurance tool suite solution to customers seeking to improve the security and compliance posture of their existing and future code bases. . An educational version, to be offered free to qualified academic institutions, will serve as a resource to educate programmers and security analysts about the value of SAST, DAST and hybrid techniques for secure code development.
Code Ray’s hybrid analysis capabilities are also targeted for incorporation into DHS’s Software Assurance Marketplace (SWAMP), which is a cloud-based set of software assurance tools being developed by the Morgridge Institute for Research (http://continuousassurance.org/) for use by software developers, software assurance researchers and educators. “DHS aims to improve the security of the supply chain by offering free-of-charge a variety of software assurance technologies for evaluating the security of software applications, including hybrid techniques, through the SWAMP. We expect software developers and security analysts to use this capability to detect and remediate software vulnerabilities before they enter the supply chain.”
The Secure Decisions Code Ray development team will be joined by two top notch consultants: Dr. Robin Gandhi, Assistant Professor of Information Assurance at the Nebraska University Center on Information Assurance (NUCIA) at the University of Nebraska at Omaha (UNO), and Mr. Dave Wichers, COO and Co-Founder of Aspect Security, a consulting firm focused on application security and educating organizations about the ever-changing cyber threat landscape. “We are very excited and privileged to be working with such industry experts”, said Ken Prole, Principal Investigator and Lead Engineer for Code Ray. Dr. Gandhi will consult on modifying Code Ray for use in educational and training institutions that offer courses in secure coding practices. Mr. Wichers will provide subject matter expertise on improving Code Ray for use by penetration testing teams. “We expect their expertise to be invaluable in helping to drive the direction of Code Ray and mature its capability,” said Ken Prole. Code Ray development gets underway in mid-March, 2014.
Code Ray builds on the results of prior research sponsored by the DHS S&T Directorate, Cyber Security Division: SBIR projects (contract #s D11PC20010 and D14PC00060) and BAA 11-02 contract # FA8750-12-C-0219.
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security, the Science & Technology Directorate, or the U.S. Government.
To learn more about Secure Decisions software assurance tools go to www.securedecisions.com/research-development/software-assurance/ and www.codedx.com
About Applied Visions and Secure Decisions
Applied Visions, Inc. (AVI) provides software products, custom solutions, and advanced technology research for commercial and government customers. The company’s vision and expertise in visual software solutions for complex defense, national security, and business problems have served AVI’s customers in the Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, and prominent technology and Fortune 500 firms. Founded in 1987, AVI is based in Northport, NY, and has secure facilities and clearances to support classified government programs.
Secure Decisions was launched by AVI in 2000 to focus on cyber security research and products. Today, Secure Decisions is a leader in security visualization, with an established track record of R&D contracts, technology transition and product development. Secure Decisions’ technologies are used to enhance the situational awareness of software developers and security professionals in government and commercial organizations. SecureScope™, VIAssist™, MeerCAT® and Code Dx™ are among Secure Decisions’ extensive portfolio of cyber defense solutions.
For more information, please visit www.avi.com and www.securedecisions.com.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective parties.