You can also read and share this article in Spanish, French and German.

Two years ago, IBM began investigating how cognitive computing could produce intelligent finding analytics to address the thornier problems companies face as they try to understand and reduce application security risk. Companies that utilize static application security testing (SAST) to understand and reduce this application security risk face a conundrum: Should they focus on the speed at which they report vulnerabilities to developers or the accuracy with which they analyze results to identify, prioritize and address these issues? Typically, the latter goal — accuracy — involves utilizing expert personnel to verify high-risk vulnerabilities and eliminate false positives that can prevent a security team from achieving the former goal — speed. To put it simply, they couldn’t have both. Until now, that is.

Needles and Haystacks

Let’s use the example of a haystack. Since the best approach to SAST is to look through the actual data flows within an application, the SAST scanner tends to deliver numerous results. Think of these as all the possible results. This is the proverbial haystack.


To find the needles in this haystack, security teams can take one of two possible approaches:

Reduce the Size of the Haystack

This is generally accomplished by taking a lighter approach to scanning applications, which finds fewer results — hopefully the most significant ones. The major advantage of this approach is speed. At the risk of mixing our metaphors, the small quantity of results allows fast separation of the wheat from the chaff. This enables security teams to deliver results to developers quickly. The disadvantage is also important to note, however: Security teams may never find the needles they’re looking for. In other words, the process isn’t a sure bet to reduce an organization’s overall application security risk.

Recruit More Help

The second approach involves hiring more employees to review the results and find the needles manually. The advantage to this approach is comprehensiveness. Needles are not lost in the testing process and experts can determine which results require action. The disadvantage, of course, is inefficiency in terms of skills, cost and, particularly, time. The larger the haystack, the more experts the project requires. These experts are scarce and expensive resources. Reviewing results can take hours, days or even weeks, making it virtually impossible to deliver results to developers in a timely manner or secure continuous engineering. Because of the skills shortage, some companies decide to outsource the entire process. This can solve the short-term skills gap but significantly increases the cost and process time. Outsourcing relieves companies of the burden of hiring and training, but it also means they lose control when it comes to prioritizing their time.

Intelligent Finding Analytics

Given this choice and the success of other cognitive efforts, IBM experts figured there must be a third alternative. Thus, IBM’s patent pending Intelligent Finding Analytics (IFA) was born. IFA was initially a research project to see if the major advantage of the first SAST approach — speed — could be achieved with the advantage of the second approach — accuracy — without the drawbacks associated with each. The goal was to use the same cognitive capabilities that underlay IBM Watson to essentially act as a group of experts sifting through the haystack.

Astounding Numbers

Over the past year, results have been even more significant than initially foreseen. In real customer usage, by removing false positives and noise, the haystacks of results have been consistently reduced by over 90 percent. With IFA’s learning capabilities, the accuracy of false positive removal is more than 98 percent. In fact, the actual reduction of false positives and noise across all customer scans in application security on cloud, as of October 2016, was a whopping 98.91 percent!

As we noted, this reduction does not come at the expense of accuracy, with IFA’s 98 percent accuracy being nearly identical to that of capable and experienced application security experts. In many cases, IFA’s results are actually better than those of human experts. Most likely, this is attributable to people becoming fatigued after hours of needle hunting. IFA delivers the results in minutes, if not seconds, compared to the hours or days human experts require to analyze large applications. This speed permits cybersecurity teams to deliver findings to developers quickly enough to keep up with persistent threats and to maintain a continuous engineering mode. This enables developers to scan often and early, fixing vulnerabilities as they are introduced instead of waiting for them to turn up at their doorstep.

Fix Groups and Real-World Results

But IFA does more than address the haystack/needle issue. It also helps developers become more efficient in taking findings and fixing issues directly in the code they are writing. By applying cognitive techniques, IFA reduces the set of findings with fix groups. Fix groups show developers precisely where security issues reside in the code, enabling them to remediate multiple problems simultaneously. Developers are now seeing between five and 10 fix groups to hundreds of security issues. IFA empowers developers to fix them all in one integrated development environment (IDE).

With these capabilities, how does IFA help companies address day-to-day application security challenges? Let’s look at three real-world customer results:

In application No. 1, the deep scan findings identified more than 12,000 potential vulnerabilities. IFA reduced this count to about 1,000 and identified 35 places (fix groups) in the code to address all 1,000. In application No. 2, the deep scan findings identified almost 250,000 potential vulnerabilities. Again, IFA reduced it to about 1,000 vulnerabilities and identified 103 fix groups in the code to address them. In application No. 3, the deep scan findings identified nearly 750,000 potential vulnerabilities. Astoundingly, IFA reduced these to just 483 real results and identified 42 fix groups.

With more than a year of experience, IFA is showing that it can help a development team with any size application. It eliminated the need for those security teams to spend hours finding and fixing application security issues — or, in some cases, throwing their hands up in the air and giving up on the colossal challenge. Instead, these companies have increased the efficiency with which they address application security risks by more than 98 percent.

Put IFA to Work

After all the academic work, ongoing machine learning and real-world customer experience, what can IFA do for you? Put very simply, IFA offers a way to:

  • Speed up your security testing to integrate with your continuous development process.
  • Reduce the burden on your limited security staff.
  • Help your developers deliver secure code more effectively.

And that’s just the beginning. IBM’s IFA capabilities are now available on our Application Security on Cloud and IBM Security AppScan Source solutions. Check out our brief video below for an entertaining overview of our IFA and Intelligent Code Analytics (ICA) capabilities for Application Security on Cloud. And, test-drive our cognitive capabilities by signing up for our complimentary trial of IBM Application Security on Cloud today.

This post was updated on May 20, 2018, to reflect new offerings from IBM Security. 

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read