We’ve all been there — that magical time when you have finally automated your application security testing tools to run nightly and are receiving testing results. You breathe a big sigh of relief. Then, when you return to your office the following day, your relief turns to horror as you are inundated with tens or hundreds of thousands of security warnings from the previous night’s scans. Going through all of those alerts one by one to separate the real security issues from the impostors (a process referred to as triage) could take weeks or months of time that you simply don’t have. Now what do you do?
It’s a conundrum that we all face: too many security warnings to sort through and not enough time. If you can automate the application security testing, why can’t you automate the triage? How can that be so hard? Enter the savior: Intelligent Finding Analytics (IFA).
What Is IFA?
IFA consists of several technologies utilized over several execution phases. The first phase uses cognitive learning to think like a security expert. With this baked-in knowledge, IFA can discern between a security warning representing a real vulnerability compared to a potential false positive. Additionally, the machine knows how to prioritize the problems it does find of interest.
But it doesn’t end there. The second phase of IFA uses understood and proven heuristics that we have discovered through years of using the security tool in real-world situations. These heuristics are applied to remove uninteresting or false security warnings, further reducing a security analyst’s workload.
Of course, we saved the best for last. The final phase of IFA includes what we call Fix Point Analysis. Fix Point Analysis takes the real security warnings that the machine generates during the initial phases of IFA and treats them as symptoms of an overall issue.
For example, if your code generates 10 security warnings, and each of those warnings contains tainted data that flows through a common intermediate code block or trace node, we can group those 10 traces on a common node. This capability results in a single overall location in the code where a developer can fix all 10 security warnings at once. This technique uses symptoms (i.e., security warnings) turned into fix-point sets to provide security analysts with the proper context in which they can focus on a single set of fixes at once.
IFA: Improving the Effectiveness of Your Application Security Testing Program
Let’s take a look at how IFA can improve your application security testing program. Consider John Smith, who works at a fictional company. He has to scan and triage security warnings for more than 60 applications. In addition, he’s tasked with distributing the issues that he finds to be true vulnerabilities to the appropriate developers. The scans in total produce over 160,000 findings.
The old way of triaging would be to look through each security warning and identify patterns that indicate whether an issue is real or an impostor. That is a tedious and time-consuming process. Most security scanning tools offer some assistance in the form of filters. But using filters is not automatic; it takes time and effort to set them up. Furthermore, usage of filters must be done through an iterative approach, which can be very inefficient. A solid understanding of general security practices and of the various vulnerabilities found in applications are required for this type of analysis.
Now let’s take a look at that same situation, but this time using IFA. John performs the same scans of the same 60 applications. The first and second phases of IFA execute immediately after the scan is completed, resulting in a reduced set of security warnings. In this case, John ends up with 14,000 security warnings for all 60 applications instead of 160,000 — IFA’s removal of false positives and noise resulted in 91 percent fewer warnings! If IFA stopped there, the resulting finding set would be more manageable for him, but it is still difficult and time-consuming to address 14,000 red flags.
Fortunately for John, IFA doesn’t stop there. The final phase of IFA groups the resulting security warnings into 300 overall issues (fix points). The real power here is that the 160,000 findings that John started with are now reduced to about 300 issues in total — about five issues per app. More than 98 percent of security warnings have been eliminated. When John returns to the office in the morning, all he has to do is distribute a handful of issues to the developers on each of the application teams, allowing them to focus on the issues that are of highest priority to the organization.
All of this processing is performed automatically through IFA, without the need for John to interact with anything. No special security knowledge was required from John and no manual triage steps were required.
If you are constantly under pressure to review application security testing results more quickly and you feel like you are fighting a losing battle, IFA is something you need to check out. It’s a revolutionary new way of looking at security tool results.
It’s not about the problem areas of your code; it’s about finding the most efficient ways to fix your code. It’s as if your friendly neighborhood security expert showed up and did all the work for you, and you still get all the credit.
To Learn More
IFA is available as a Static Analyzer feature of IBM’s Application Security on Cloud offering and has recently been extended to IBM Security AppScan Source. You can learn more about IFA’s capabilities by listening to our webinar below, titled “Leverage IBM’s Cognitive Technology to Think Like a Security Expert.”
Watch the On-Demand Webinar Now
And, to extend your application source code testing knowledge, register for your complimentary trial plan of Application Security on Cloud today.
This post was updated on June 2, 2017, to reflect new IBM offerings.
Lead Security Analytics Researcher, IBM
Kristofer Duer is a Java programmer with a specialty in analytics. He has worked in the application security field for the last five years on IBM Security Ap...