Intelligent Code Analytics: Increasing Application Security Testing Coverage With Cognitive Computing

In a previous post, we examined how cognitive computing can greatly reduce the false positives and noise that are inherent in static application security testing (SAST). We also showed how the reduction of false positives can be done without impacting language coverage — i.e., decreasing the rule set — which is the approach of most application security offerings.

Although intelligent findings analytics (IFA) represents a key breakthrough in application security testing, it only maintains the breadth of coverage that the static analysis language processor produced.

ICA: Taking Application Security Testing a Step Forward

Intelligent code analytics (ICA) takes IFA a major step forward by using cognitive computing to extend the coverage of a language. This is extremely important because coding languages are rapidly evolving, with new frameworks appearing seemingly every day. A new language version such as Java 8 can introduce tens of thousands of new application program interfaces (APIs).

Webinar featuring Forrester: 3 Key Trends in Application Security

Traditionally, a trained security expert would review each of these APIs to see if it is an input (a source) or an output (a sink), and then determine whether the code might carry a vulnerability (a taint). New frameworks make this process even more complex. By making coding simpler for developers, they make reviewing more opaque to testing systems. Identifying these APIs and creating rules around them, referred to as markup, can take weeks or more, leaving gaps in the testing system’s coverage.

Images for the blog
Figure 1: Unknown APIs leave gaps in coverage.

ICA addresses and virtually eliminates this issue by applying machine learning to the identification and markup of APIs. Most amazingly, ICA does this on the fly. Every time it encounters a new API or framework, it instantly determines whether it is taintable and creates a rule. This is then used by the analysis engine to determine whether the application’s data flow contains a real vulnerability or not.

Image for cognitive blog
Figure 2: ICA identifies previously unknown APIs.

ICA ‘Just Works’

Kris Duer, known as the “father of IFA and ICA” within IBM Security, has a phrase to describe how these results are achieved: “It just works!” While there is certainly more detail behind Kris’s statement, the beauty of applying cognitive technology to application security testing is that you don’t need to know all the details — you can simply look at the results.

With IFA, we experienced machine accuracy that met or exceeded the results of trained experts performing the same analysis. Similarly, the results of ICA are equally impressive and likewise meet or exceed the results of human efforts. As with IFA, we can attribute this to the fact that people working on complex problems for hours at a time naturally become tired and tend to make errors, while machines complete the same job in seconds and never tire.

Image for cognitive blog
Figure 3: ICA correctly identifies over 98 percent of APIs.

Enhance Speed and Coverage With IFA and ICA

Together, IFA and ICA utilize cognitive computing to address key areas of application security: speed and coverage. Both are critical to building a successful DevOps application security program. But this is just the beginning. Where will cognitive computing take us next in making your application security program more effective? Watch this space to find out!

Webinar featuring Forrester: 3 Key Trends in Application Security

For additional information about IBM’s cognitive application security testing capabilities, watch this brief animated video:

Share this Article:
David Marshak

Senior Offering Manager, IBM

David Marshak focuses on IBM’s Application Security portfolio, including the AppScan product line, cloud offerings and partnerships with companies such as Arxan. Prior to joining IBM in January 2005, Marshak was an internationally known industry analyst and consultant with Patricia Seybold Group for 18 years. Marshak has spoken worldwide to audiences, large and small, on emerging technologies and future trends. He is often called upon to be a featured speaker and panel moderator at numerous industry conferences such as IBM InterConnect, Connect, Pulse, VoiceCon, Collaboration Technologies Conference, Burton Group Catalyst Conference, COMDEX, InternetWorld, Groupware, VON, NetWorld and Lotusphere, among others. He has appeared as an expert commentator on PBS, CNBC and National Public Radio and has lectured on collaboration at Massachusetts Institute of Technology and Babson College. Marshak has been quoted in the Wall Street Journal, Forbes, New York Times, Business Week and Investor’s Business Daily as well as the technical press.