In a previous post, we examined how cognitive computing can greatly reduce the false positives and noise that are inherent in static application security testing (SAST). We also showed how the reduction of false positives can be done without impacting language coverage — i.e., decreasing the rule set — which is the approach of most application security offerings.

Although intelligent findings analytics (IFA) represents a key breakthrough in application security testing, it only maintains the breadth of coverage that the static analysis language processor produced.

ICA: Taking Application Security Testing a Step Forward

Intelligent code analytics (ICA) takes IFA a major step forward by using cognitive computing to extend the coverage of a language. This is extremely important because coding languages are rapidly evolving, with new frameworks appearing seemingly every day. A new language version such as Java 8 can introduce tens of thousands of new application program interfaces (APIs).

Traditionally, a trained security expert would review each of these APIs to see if it is an input (a source) or an output (a sink), and then determine whether the code might carry a vulnerability (a taint). New frameworks make this process even more complex. By making coding simpler for developers, they make reviewing more opaque to testing systems. Identifying these APIs and creating rules around them, referred to as markup, can take weeks or more, leaving gaps in the testing system’s coverage.


Figure 1: Unknown APIs leave gaps in coverage.

ICA addresses and virtually eliminates this issue by applying machine learning to the identification and markup of APIs. Most amazingly, ICA does this on the fly. Every time it encounters a new API or framework, it instantly determines whether it is taintable and creates a rule. This is then used by the analysis engine to determine whether the application’s data flow contains a real vulnerability or not.


Figure 2: ICA identifies previously unknown APIs.

ICA ‘Just Works’

Kris Duer, known as the “father of IFA and ICA” within IBM Security, has a phrase to describe how these results are achieved: “It just works!” While there is certainly more detail behind Kris’s statement, the beauty of applying cognitive technology to application security testing is that you don’t need to know all the details — you can simply look at the results.

With IFA, we experienced machine accuracy that met or exceeded the results of trained experts performing the same analysis. Similarly, the results of ICA are equally impressive and likewise meet or exceed the results of human efforts. As with IFA, we can attribute this to the fact that people working on complex problems for hours at a time naturally become tired and tend to make errors, while machines complete the same job in seconds and never tire.


Figure 3: ICA correctly identifies over 98 percent of APIs.

Enhance Speed and Coverage With IFA and ICA

Together, IFA and ICA utilize cognitive computing to address key areas of application security: speed and coverage. Both are critical to building a successful DevOps application security program. But this is just the beginning. Where will cognitive computing take us next in making your application security program more effective? Watch this space to find out!

For additional information about IBM’s cognitive application security testing capabilities, watch this brief animated video:

https://www.youtube.com/watch?v=QuWX8j1spOs

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today