Technical Field
This disclosure relates generally to identifying and remediating application vulnerabilities using static analysis tools.
Background of the Related Art
Today, most organizations depend on web-based software and systems to run their business processes, conduct transactions with suppliers, and deliver sophisticated services to customers. Unfortunately, many organizations invest little to no effort in ensuring that those applications are secure. Web-based systems can compromise the overall security of organizations by introducing vulnerabilities that hackers can use to gain access to confidential company information or customer data.
To address this deficiency, static analysis tools and services have been developed. Static security analysis (or “static analysis” for short) solutions help organization address web and mobile application vulnerabilities through a secure-by-design approach. This approach embeds security testing into the software development lifecycle itself, providing organizations with the tools they require to develop more secure code. Static analysis tools are often used by computer software developers to provide information about computer software while applying only static considerations (i.e., without executing a computer software application). Such tools simplify remediation by identifying vulnerabilities in web and mobile applications prior to their deployment, generating results (reports and fix recommendations) through comprehensive scanning, and combining advanced dynamic and innovative hybrid analyses of glass-box testing (run-time analysis, also known as integrated application security testing) with static taint analysis for superior accuracy. A representative commercial offering of this type is IBM® Security AppScan®, which enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.
Typically, application analysis tools of this type are delivered to end users as traditional software packages, which the user is responsible for installing, configuring and maintaining. With this model, there are many obstacles to quickly and effectively incorporating security analysis into application development lifecycles. For example, prior to actually performing any security analysis, the user first needs to download and install the tool, address licensing and user management issues for the tool, and then understand where and how to integrate the functionality into existing build and development workflows. The user also has to have basic familiarity with the tool interface and how to configure the product for scanning. In addition to these basic challenges, additional obstacles often arise during use of the tool due to the sensitive nature of application security findings that the tool generates. In particular, because these findings can be used as a guide for a malicious user to attack an application, users typically are not willing to share security data, even with other teams in their own organization. This leads to several sub-optimal behaviors or outcomes, namely: little or no cross-team or cross-user collaboration on security analysis best practices or issue remediation, a lack of interaction or feedback loops between the user and the tool provider to help improve the analysis tool in terms of accuracy, performance or usefulness of the findings, as well as significant duplication of work, which occurs as many users scan the same source components.