Secure applications and systems are one of the important concerns for organizations. Organizations are starting to realize the pronounced exposure to threats both from inside and outside the enterprises. While organizations embark on Security programs, the primary objective is to quantify, reduce and mitigate the risk exposure of applications. The current technology fixes application vulnerabilities through dynamic security assessment, static security assessment, manual security assessment of one or more applications and information technology security controls and process.
Web application security assessments operate as dynamic security assessments which try to simulate how an attacker would attack a web application without knowledge of the code. The attacker tries to provide various inputs and tries to understand how the application works and exploits the vulnerabilities present in the application. On the other hand, during a static code security assessment, the code is assessed for any known patterns of code constructs which could potentially lead to a vulnerability. Most often the results found out from static code analyzer may not be able to understand how the application could be exploited by an attacker and also generate quite a lot of false positives.
Though it is important for both these type of assessments to be performed so that security vulnerability can be identified upfront early in Software Development Life Cycle (SDLC) and fixed, most often there is no common mapping to cure these vulnerability instances in these two different types of security assessments. This often leads to vulnerability remediation programs which purely work on individual assessment recommendations and knowledge of the developer and it is quite time and cost intensive to remediate the vulnerabilities.
Thus there is no mechanism that currently exists to seamlessly correlate these assessment results for working on a remediation mechanism. Most of the critical vulnerabilities are not accurately fixed by the present approach. The existing product vendors and technologies are aligned to specific vulnerability identification techniques such as static security assessment or dynamic security assessment and there is no clear cut mechanism to apply these findings in remediation of these vulnerabilities. There are quite heavy false positives in both types of assessment techniques resulting in a huge impact on human effort for correlation.
In view of the foregoing discussion, there is a need for a unified approach to correlate the static and the dynamic security findings for better and quick quicker remediation of the application vulnerabilities.