Intelligent Code Analytics: Increasing Application Security Testing Coverage With Cognitive Computing
In a previous post, we examined how cognitive computing can greatly reduce the false positives and noise that are inherent in static application security testing (SAST). We also showed how the reduction of false positives can be done without impacting language coverage — i.e., decreasing the rule set — which is the approach of most application security offerings.
Although intelligent findings analytics (IFA) represents a key breakthrough in application security testing, it only maintains the breadth of coverage that the static analysis language processor produced.
ICA: Taking Application Security Testing a Step Forward
Intelligent code analytics (ICA) takes IFA a major step forward by using cognitive computing to extend the coverage of a language. This is extremely important because coding languages are rapidly evolving, with new frameworks appearing seemingly every day. A new language version such as Java 8 can introduce tens of thousands of new application program interfaces (APIs).
Traditionally, a trained security expert would review each of these APIs to see if it is an input (a source) or an output (a sink), and then determine whether the code might carry a vulnerability (a taint). New frameworks make this process even more complex. By making coding simpler for developers, they make reviewing more opaque to testing systems. Identifying these APIs and creating rules around them, referred to as markup, can take weeks or more, leaving gaps in the testing system’s coverage.
Figure 1: Unknown APIs leave gaps in coverage.
ICA addresses and virtually eliminates this issue by applying machine learning to the identification and markup of APIs. Most amazingly, ICA does this on the fly. Every time it encounters a new API or framework, it instantly determines whether it is taintable and creates a rule. This is then used by the analysis engine to determine whether the application’s data flow contains a real vulnerability or not.
Figure 2: ICA identifies previously unknown APIs.
ICA ‘Just Works’
Kris Duer, known as the “father of IFA and ICA” within IBM Security, has a phrase to describe how these results are achieved: “It just works!” While there is certainly more detail behind Kris’s statement, the beauty of applying cognitive technology to application security testing is that you don’t need to know all the details — you can simply look at the results.
With IFA, we experienced machine accuracy that met or exceeded the results of trained experts performing the same analysis. Similarly, the results of ICA are equally impressive and likewise meet or exceed the results of human efforts. As with IFA, we can attribute this to the fact that people working on complex problems for hours at a time naturally become tired and tend to make errors, while machines complete the same job in seconds and never tire.
Figure 3: ICA correctly identifies over 98 percent of APIs.
Enhance Speed and Coverage With IFA and ICA
Together, IFA and ICA utilize cognitive computing to address key areas of application security: speed and coverage. Both are critical to building a successful DevOps application security program. But this is just the beginning. Where will cognitive computing take us next in making your application security program more effective? Watch this space to find out!
For additional information about IBM’s cognitive application security testing capabilities, please attend session SAP-1588, titled “How Cognitive Is Changing Your Application Security World,” on Tuesday, March 21 at 4:45 p.m. PT at IBM InterConnect 2017.