Monday, 7 March 2011
Introducing Real-Time Hybrid Correlation: SAST-DAST Issue Correlation
« Java Denial of Service Vulnerability (Double Trouble) | Main | Context Sensitive Ranking »
Real-Time Hybrid Correlation addresses the problems of individual vulnerability detection techniques by correlating vulnerability data from multiple sources. The most common complaint a security practitioner has when looking at results from a black-box analysis, like HP's WebInspect, is that the results are hard to act on. The most common complaint when looking at static analysis results (like Fortify SCA) is that they are prone to false positives. Correlating the results of both of these techniques overcomes the shortcomings of both to produce reliable, actionable results.
We have shown that we can enhance SCA to produce information which can glue black-box analysis results and static analysis issues together. Now we are providing a second key element, called Fortify SecurityScope, that produces the "glue" information required for correlation. SecurityScope has the unique capability to see both web request and the execution of the code. The complete workflow, and how all of these pieces fit together is shown below.
In action, the information gathering and correlation process goes as follow. First, the attack web request (http://company.com/index?name=â or '1'='1) is made by WebInspect to the webserver and is recorded by both WebInspect and SecurityScope. A unique id (ID=234) is used to correlate the WebInspect with the SecurityScope results. Second, SecurityScope inspects the executed code (NewClass.java:27) and searches for similar, known issues produced by SCA. SCA reveals the analysis evidence in the code (Source: in.jsp:33:getParameter(), ..., Sink: NewClass.java:27:java.sql.Statement.executeQuery()). The result is three pieces of solid evidence for one issue.
This approach is extremely valuable in rooting out server-side injection bugs. Black-box analysis tools do a great job sending out attack vectors to the application, but they have problems validating the intended impact of the attack on the server-side components and pointing out the problem in code. SecurityScope augments black-box testing by validating the attack. SCA does great job pointing out the problem in code. Combined, these three techniques will revolutionize the way we do software security.
We have shown that we can enhance SCA to produce information which can glue black-box analysis results and static analysis issues together. Now we are providing a second key element, called Fortify SecurityScope, that produces the "glue" information required for correlation. SecurityScope has the unique capability to see both web request and the execution of the code. The complete workflow, and how all of these pieces fit together is shown below.
In action, the information gathering and correlation process goes as follow. First, the attack web request (http://company.com/index?name=â or '1'='1) is made by WebInspect to the webserver and is recorded by both WebInspect and SecurityScope. A unique id (ID=234) is used to correlate the WebInspect with the SecurityScope results. Second, SecurityScope inspects the executed code (NewClass.java:27) and searches for similar, known issues produced by SCA. SCA reveals the analysis evidence in the code (Source: in.jsp:33:getParameter(), ..., Sink: NewClass.java:27:java.sql.Statement.executeQuery()). The result is three pieces of solid evidence for one issue.
This approach is extremely valuable in rooting out server-side injection bugs. Black-box analysis tools do a great job sending out attack vectors to the application, but they have problems validating the intended impact of the attack on the server-side components and pointing out the problem in code. SecurityScope augments black-box testing by validating the attack. SCA does great job pointing out the problem in code. Combined, these three techniques will revolutionize the way we do software security.
Posted by at 12:00 PM in Fortify
[Trackback URL for this entry]
