achieving software assurance with hybrid analysis mapping
TRANSCRIPT
2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP
Achieving Software Assurance with Hybrid Analysis Mapping
Denim GroupDan Cornell, CTO
February 17, 2016
§ Denim Group:q Secure software services and products company
§ Builds secure software§ Helps organizations assess and mitigate risk of in-house developed and third party software
§ Team:q Principal Investigator: Dan Cornell
§ Software developer by background§ Software security researcher
q Team: Software engineers trained in software security
Denim Group Team Profile
CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP 32/17/16
§ Software is integral to critical infrastructure§ These days everything actually IS software
§ Software systems have significant vulnerabilities that expose critical infrastructure to exploitation
§ Nation states, organized crime, chaotic actors and other threats target software
Why Software Assurance
§ Static Application Security Testing (SAST)q Testing software “at rest”q Evaluating source code, binary code
§ Dynamic Application Security Testing (DAST)q Testing running softwareq Exercise the software and see how it responds
Software Assurance Testing
§ Major classes of automated analysis have both strengths and weaknesses
§ Individual tools provide limited coverage when used in isolation
§ Hybrid Analysis Mapping: Combining the results of different types of analysis and multiple tools allows for:q Better results triageq More sophisticated analysis
Need for Hybrid Analysis Mapping
62/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
§ Initial goal: allow for the merging of SAST and DAST application vulnerability scan results
§ Perform code analysis to create an attack surface model for the application q Link with the source code responsible
§ Given DAST and SAST results for a given application: identify matches
Approach
72/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
Implementation
82/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
§ Manage large amounts of vulnerability data efficientlyq Too many results, not enough analystsq Manual results merge by human analyst no longer requiredq Quickly triage:
§ Likelihood of false positive results§ More severely exposed vulnerabilities
§ Increase value of existing investments in SAST, DAST
§ Emergent benefits:q Improve the quality of analysis
§ Use attack surface model to seed DAST scannersq Increase the speed of remediation
§ Query attack surface model to pinpoint source code location of vulnerabilities
Benefits
92/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
Benefits: SAST – DAST Merge
102/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
Benefits: DAST Scanner Seeding
112/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
Benefits: Line-of-Code Mapping
122/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
§ Individual tools do not provide enough insightq Gaps in coverageq Strengths and weaknesses of SAST and DAST when used individually
§ Manually combining results is not feasibleq Extremely time-consumingq Cyber talent shortage
§ Need better tools providing deeper analysisq Combining analysis allows discovery of new vulnerabilities
Market Need
132/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
§ HAM technology has been included in Denim Group’s ThreadFix software assurance program management platformq Used by Software Assurance teamsq ThreadFix Community (open source)
§ https://github.com/denimgroup/threadfixq ThreadFix Enterprise (commercial)
§ http://www.threadfix.org/
§ 3200+ downloads§ Working with pilot users
q Financial services, Federal
Transition Activities
142/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
§ Running a Software Assurance program?§ Request a demo of ThreadFix
q Software assurance program managementq Incorporating HAM into your program
§ Building Software Assurance tools?§ License HAM technology
q Augment application security testing technologiesq Support IV&V efforts
What Can You Do?
Contact Information
Dan CornellDenim [email protected](210) 572-4400@danielcornell
CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
2016 | Cyber Security DivisionR&D SHOWCASE AND TECHNICAL WORKSHOP