We’ve all been there — that magical time when you have finally automated your application security testing tools to run nightly and are receiving testing results. You breathe a big sigh of relief. Then, when you return to your office the following day, your relief turns to horror as you are inundated with tens or hundreds of thousands of security warnings from the previous night’s scans. Going through all of those alerts one by one to separate the real security issues from the impostors (a process referred to as triage) could take weeks or months of time that you simply don’t have. Now what do you do?

It’s a conundrum that we all face: too many security warnings to sort through and not enough time. If you can automate the application security testing, why can’t you automate the triage? How can that be so hard? Enter the savior: Intelligent Finding Analytics (IFA).

What Is IFA?

IFA consists of several technologies utilized over several execution phases. The first phase uses cognitive learning to think like a security expert. With this baked-in knowledge, IFA can discern between a security warning representing a real vulnerability compared to a potential false positive. Additionally, the machine knows how to prioritize the problems it does find of interest.

But it doesn’t end there. The second phase of IFA uses understood and proven heuristics that we have discovered through years of using the security tool in real-world situations. These heuristics are applied to remove uninteresting or false security warnings, further reducing a security analyst’s workload.

Of course, we saved the best for last. The final phase of IFA includes what we call Fix Point Analysis. Fix Point Analysis takes the real security warnings that the machine generates during the initial phases of IFA and treats them as symptoms of an overall issue.

For example, if your code generates 10 security warnings, and each of those warnings contains tainted data that flows through a common intermediate code block or trace node, we can group those 10 traces on a common node. This capability results in a single overall location in the code where a developer can fix all 10 security warnings at once. This technique uses symptoms (i.e., security warnings) turned into fix-point sets to provide security analysts with the proper context in which they can focus on a single set of fixes at once.

IFA: Improving the Effectiveness of Your Application Security Testing Program

Let’s take a look at how IFA can improve your application security testing program. Consider John Smith, who works at a fictional company. He has to scan and triage security warnings for more than 60 applications. In addition, he’s tasked with distributing the issues that he finds to be true vulnerabilities to the appropriate developers. The scans in total produce over 160,000 findings.

The old way of triaging would be to look through each security warning and identify patterns that indicate whether an issue is real or an impostor. That is a tedious and time-consuming process. Most security scanning tools offer some assistance in the form of filters. But using filters is not automatic; it takes time and effort to set them up. Furthermore, usage of filters must be done through an iterative approach, which can be very inefficient. A solid understanding of general security practices and of the various vulnerabilities found in applications are required for this type of analysis.

Now let’s take a look at that same situation, but this time using IFA. John performs the same scans of the same 60 applications. The first and second phases of IFA execute immediately after the scan is completed, resulting in a reduced set of security warnings. In this case, John ends up with 14,000 security warnings for all 60 applications instead of 160,000 — IFA’s removal of false positives and noise resulted in 91 percent fewer warnings! If IFA stopped there, the resulting finding set would be more manageable for him, but it is still difficult and time-consuming to address 14,000 red flags.

Fortunately for John, IFA doesn’t stop there. The final phase of IFA groups the resulting security warnings into 300 overall issues (fix points). The real power here is that the 160,000 findings that John started with are now reduced to about 300 issues in total — about five issues per app. More than 98 percent of security warnings have been eliminated. When John returns to the office in the morning, all he has to do is distribute a handful of issues to the developers on each of the application teams, allowing them to focus on the issues that are of highest priority to the organization.

All of this processing is performed automatically through IFA, without the need for John to interact with anything. No special security knowledge was required from John and no manual triage steps were required.

Conclusion

If you are constantly under pressure to review application security testing results more quickly and you feel like you are fighting a losing battle, IFA is something you need to check out. It’s a revolutionary new way of looking at security tool results.

It’s not about the problem areas of your code; it’s about finding the most efficient ways to fix your code. It’s as if your friendly neighborhood security expert showed up and did all the work for you, and you still get all the credit.

To Learn More

IFA is available as a Static Analyzer feature of IBM’s Application Security on Cloud offering and has recently been extended to IBM Security AppScan Source. You can learn more about IFA’s capabilities by listening to our webinar below, titled  “Leverage IBM’s Cognitive Technology to Think Like a Security Expert.”

Watch the On-Demand Webinar Now

And, to extend your application source code testing knowledge, register for your complimentary trial plan of Application Security on Cloud today.


This post was updated on June 2, 2017, to reflect new IBM offerings. 

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…