New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Achieving Software Assurance with Hybrid Analysis Mapping
1.
2. 2016 | Cyber Security Division
R&D SHOWCASE AND TECHNICAL WORKSHOP
Achieving Software Assurance
with Hybrid Analysis Mapping
Denim Group
Dan Cornell, CTO
February 17, 2016
3. § Denim Group:
q Secure software services and products company
§ Builds secure software
§ Helps organizations assess and mitigate risk of in-house
developed and third party software
§ Team:
q Principal Investigator: Dan Cornell
§ Software developer by background
§ Software security researcher
q Team: Software engineers trained in software
security
Denim Group Team Profile
CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP 32/17/16
4. § Software is integral to critical infrastructure
§ These days everything actually IS software
§ Software systems have significant
vulnerabilities that expose critical infrastructure
to exploitation
§ Nation states, organized crime, chaotic actors
and other threats target software
Why Software Assurance
5. § Static Application Security Testing (SAST)
q Testing software “at rest”
q Evaluating source code, binary code
§ Dynamic Application Security Testing (DAST)
q Testing running software
q Exercise the software and see how it responds
Software Assurance Testing
6. § Major classes of automated analysis have both
strengths and weaknesses
§ Individual tools provide limited coverage when
used in isolation
§ Hybrid Analysis Mapping: Combining the results
of different types of analysis and multiple tools
allows for:
q Better results triage
q More sophisticated analysis
Need for Hybrid Analysis Mapping
62/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
7. § Initial goal: allow for the merging of SAST and
DAST application vulnerability scan results
§ Perform code analysis to create an attack
surface model for the application
q Link with the source code responsible
§ Given DAST and SAST results for a given
application: identify matches
Approach
72/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
9. § Manage large amounts of vulnerability data efficiently
q Too many results, not enough analysts
q Manual results merge by human analyst no longer required
q Quickly triage:
§ Likelihood of false positive results
§ More severely exposed vulnerabilities
§ Increase value of existing investments in SAST, DAST
§ Emergent benefits:
q Improve the quality of analysis
§ Use attack surface model to seed DAST scanners
q Increase the speed of remediation
§ Query attack surface model to pinpoint source code location of
vulnerabilities
Benefits
92/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
13. § Individual tools do not provide enough insight
q Gaps in coverage
q Strengths and weaknesses of SAST and DAST when
used individually
§ Manually combining results is not feasible
q Extremely time-consuming
q Cyber talent shortage
§ Need better tools providing deeper analysis
q Combining analysis allows discovery of new
vulnerabilities
Market Need
132/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
14. § HAM technology has been included in Denim
Group’s ThreadFix software assurance program
management platform
q Used by Software Assurance teams
q ThreadFix Community (open source)
§ https://github.com/denimgroup/threadfix
q ThreadFix Enterprise (commercial)
§ http://www.threadfix.org/
§ 3200+ downloads
§ Working with pilot users
q Financial services, Federal
Transition Activities
142/17/16 CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP
15. § Running a Software Assurance program?
§ Request a demo of ThreadFix
q Software assurance program management
q Incorporating HAM into your program
§ Building Software Assurance tools?
§ License HAM technology
q Augment application security testing technologies
q Support IV&V efforts
What Can You Do?
16. Contact Information
Dan Cornell
Denim Group
dan@denimgroup.com
(210) 572-4400
@danielcornell
CYBER SECURITY DIVISION 2016 R&D SHOWCASE AND TECHNICAL WORKSHOP