1. Field of the Invention.
This invention relates generally to application security. More specifically, this invention relates to a method of merging and correlating results from static and dynamic application security testing of web applications.
2. Description of the Related Art.
The modern world runs on information technology, and information technology is powered by software. Software is a vital component of how governments and organizations provide basic services like power and water, and provides the communication networks underpinning modern life. Disruptions of these systems can result in significant hardship and even loss of life.
Unfortunately, most software is plagued with serious vulnerabilities. According to one report, on average, 79 vulnerabilities are found in a typical website during a year. Only 63% of these vulnerabilities are ever remediated, and the average time to fix for a vulnerability is 38 days. This results in an average window of exposure of 231 days.
The ongoing proliferation of websites and web applications that deal with sensitive data makes this problem even more challenging, because many organizations find that their application portfolio is ever-expanding. This trend forces organizations to deal with the problem of the scale of their software portfolios if the problem is to be addressed in an economically viable manner.
There are two leading classes of tools used to conduct automated security testing: static analysis tools and dynamic analysis tools. Static analysis tools look at software artifacts (such as source code or binaries) “at rest.” These tools analyze program structure, control flow, data flow, and semantics and apply different rules and pattern mapping to identify potential security vulnerabilities. Static analysis tools provide a code-level view of the application and its security state.
On the other hand, dynamic analysis tools look at a running instance of the web application software, map out the structure of the application as observed from the outside in a way similar to a legitimate user navigating the application, and then attempt to send malformed requests to the application. A dynamic scanner then analyzes the request and response traffic and applies pattern-mapping to identify interactions that reflect an application vulnerability.
Both types of analysis tools have strengths and weaknesses, and some are better at finding certain classes of vulnerabilities than others. Static analysis tools provide a systems-level view of vulnerabilities. Because they work at a code level, they can provide specific information about the location of vulnerabilities, which can be beneficial for software programmers looking to implement source code changes that address identified security issues. However, static analysis tools can be prone to false positives because they do not have full knowledge of how the final running system will behave.
On the other hand, dynamic analysis tools differ by providing an architectural and threat view of vulnerabilities. This outside-in view of the vulnerabilities typically requires additional analysis before the required location of code-level changes is known. Their findings are based on observations of a running system so they can help to reduce false positives by reflecting the “ground truth” of the system's behavior. With that said, some degree of false positives should be expected from any automated assessment tool.
Applications can become quite large, so dealing with the vulnerability data resulting from scans is a significant issue. Running multiple types of software analysis can be valuable to both find more vulnerabilities as well as reveal more data about previously identified vulnerabilities. Increased data can be valuable when it provides deeper insight into vulnerabilities; however, increased data can also be of lesser value when it makes the overall problem harder to manage by requiring too much manual analyst review or highlighting large numbers of potential vulnerabilities and weaknesses that are of low value or priority.
Currently, there is no easy and/or reliable way to correlate results from static analysis tools with results from dynamic analysis tools. This “deficiency” in the art may lead to misinterpreting reports by identifying two distinct vulnerabilities—one from static findings, one from dynamic findings—when really only one vulnerability exists. Also, correlations between static and dynamic testing results may not be taken into account when determining the priority by which vulnerabilities need to be addressed.