You can also read and share this article in Spanish, French and German.
Two years ago, IBM began investigating how cognitive computing could produce intelligent finding analytics to address the thornier problems companies face as they try to understand and reduce application security risk. Companies that utilize static application security testing (SAST) to understand and reduce this application security risk face a conundrum: Should they focus on the speed at which they report vulnerabilities to developers or the accuracy with which they analyze results to identify, prioritize and address these issues? Typically, the latter goal — accuracy — involves utilizing expert personnel to verify high-risk vulnerabilities and eliminate false positives that can prevent a security team from achieving the former goal — speed. To put it simply, they couldn’t have both. Until now, that is.
Needles and Haystacks
Let’s use the example of a haystack. Since the best approach to SAST is to look through the actual data flows within an application, the SAST scanner tends to deliver numerous results. Think of these as all the possible results. This is the proverbial haystack.
To find the needles in this haystack, security teams can take one of two possible approaches:
Reduce the Size of the Haystack
This is generally accomplished by taking a lighter approach to scanning applications, which finds fewer results — hopefully the most significant ones. The major advantage of this approach is speed. At the risk of mixing our metaphors, the small quantity of results allows fast separation of the wheat from the chaff. This enables security teams to deliver results to developers quickly. The disadvantage is also important to note, however: Security teams may never find the needles they’re looking for. In other words, the process isn’t a sure bet to reduce an organization’s overall application security risk.
Recruit More Help
The second approach involves hiring more employees to review the results and find the needles manually. The advantage to this approach is comprehensiveness. Needles are not lost in the testing process and experts can determine which results require action. The disadvantage, of course, is inefficiency in terms of skills, cost and, particularly, time. The larger the haystack, the more experts the project requires. These experts are scarce and expensive resources. Reviewing results can take hours, days or even weeks, making it virtually impossible to deliver results to developers in a timely manner or secure continuous engineering. Because of the skills shortage, some companies decide to outsource the entire process. This can solve the short-term skills gap but significantly increases the cost and process time. Outsourcing relieves companies of the burden of hiring and training, but it also means they lose control when it comes to prioritizing their time.
Intelligent Finding Analytics
Given this choice and the success of other cognitive efforts, IBM experts figured there must be a third alternative. Thus, IBM’s patent pending Intelligent Finding Analytics (IFA) was born. IFA was initially a research project to see if the major advantage of the first SAST approach — speed — could be achieved with the advantage of the second approach — accuracy — without the drawbacks associated with each. The goal was to use the same cognitive capabilities that underlay IBM Watson to essentially act as a group of experts sifting through the haystack.
Over the past year, results have been even more significant than initially foreseen. In real customer usage, by removing false positives and noise, the haystacks of results have been consistently reduced by over 90 percent. With IFA’s learning capabilities, the accuracy of false positive removal is more than 98 percent. In fact, the actual reduction of false positives and noise across all customer scans in application security on cloud, as of October 2016, was a whopping 98.91 percent!
As we noted, this reduction does not come at the expense of accuracy, with IFA’s 98 percent accuracy being nearly identical to that of capable and experienced application security experts. In many cases, IFA’s results are actually better than those of human experts. Most likely, this is attributable to people becoming fatigued after hours of needle hunting. IFA delivers the results in minutes, if not seconds, compared to the hours or days human experts require to analyze large applications. This speed permits cybersecurity teams to deliver findings to developers quickly enough to keep up with persistent threats and to maintain a continuous engineering mode. This enables developers to scan often and early, fixing vulnerabilities as they are introduced instead of waiting for them to turn up at their doorstep.
Fix Groups and Real-World Results
But IFA does more than address the haystack/needle issue. It also helps developers become more efficient in taking findings and fixing issues directly in the code they are writing. By applying cognitive techniques, IFA reduces the set of findings with fix groups. Fix groups show developers precisely where security issues reside in the code, enabling them to remediate multiple problems simultaneously. Developers are now seeing between five and 10 fix groups to hundreds of security issues. IFA empowers developers to fix them all in one integrated development environment (IDE).
With these capabilities, how does IFA help companies address day-to-day application security challenges? Let’s look at three real-world customer results:
In application No. 1, the deep scan findings identified more than 12,000 potential vulnerabilities. IFA reduced this count to about 1,000 and identified 35 places (fix groups) in the code to address all 1,000. In application No. 2, the deep scan findings identified almost 250,000 potential vulnerabilities. Again, IFA reduced it to about 1,000 vulnerabilities and identified 103 fix groups in the code to address them. In application No. 3, the deep scan findings identified nearly 750,000 potential vulnerabilities. Astoundingly, IFA reduced these to just 483 real results and identified 42 fix groups.
With more than a year of experience, IFA is showing that it can help a development team with any size application. It eliminated the need for those security teams to spend hours finding and fixing application security issues — or, in some cases, throwing their hands up in the air and giving up on the colossal challenge. Instead, these companies have increased the efficiency with which they address application security risks by more than 98 percent.
Put IFA to Work
After all the academic work, ongoing machine learning and real-world customer experience, what can IFA do for you? Put very simply, IFA offers a way to:
- Speed up your security testing to integrate with your continuous development process.
- Reduce the burden on your limited security staff.
- Help your developers deliver secure code more effectively.
And that’s just the beginning. IBM’s IFA capabilities are now available on our Application Security on Cloud and IBM Security AppScan Source solutions. Check out our brief video below for an entertaining overview of our IFA and Intelligent Code Analytics (ICA) capabilities for Application Security on Cloud. And, test-drive our cognitive capabilities by signing up for our complimentary trial of IBM Application Security on Cloud today.
This post was updated on May 20, 2018, to reflect new offerings from IBM Security.
Senior Offering Manager, IBM
Lead Security Analytics Researcher, IBM