Technical Field
This disclosure relates generally to identifying and remediating application vulnerabilities using static analysis tools.
Background of the Related Art
Today, most organizations depend on web-based software and systems to run their business processes, conduct transactions with suppliers, and deliver sophisticated services to customers. Unfortunately, many organizations invest little to no effort in ensuring that those applications are secure. Web-based systems can compromise the overall security of organizations by introducing vulnerabilities that hackers can use to gain access to confidential company information or customer data. Web and mobile applications, in particular, increasingly are the target of many attacks and attack types. These include, for example, cross-site scripting (XSS), cross-application scripting (XAS), SQL injection (SQLi), log forging, and many others.
Given the size and complexity of modern software, which often consists of multiple abstraction layers, includes large third party libraries, and performs non-trivial pointer-based computations, there is a clear and growing need for automated methods for detection of potential security vulnerabilities, such as those mentioned above. To address this need, static analysis tools and services have been developed. Static security analysis (or “static analysis” for short) solutions help organization address web and mobile application vulnerabilities through a secure-by-design approach. This approach embeds security testing into the software development lifecycle itself, providing organizations with the tools they require to develop more secure code. Static analysis tools are often used by computer software developers to provide information about computer software while applying only static considerations (i.e., without executing a computer software application). Such tools simplify remediation by identifying vulnerabilities in web and mobile applications prior to their deployment, generating results (reports and fix recommendations) through comprehensive scanning, and combining advanced dynamic and innovative hybrid analyses of glass-box testing (run-time analysis, also known as integrated application security testing) with static taint analysis for superior accuracy. Static analysis may be implemented as a standalone (e.g., desktop) tool “on-premises,” or provided “as a service,” using cloud-based resources. A representative commercial offering of this type is IBM® Security AppScan®, which enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.
While static analysis has shown impressive success as an industry solution, some existing tools often report many false findings. This is not necessarily surprising, as automated analysis tools are challenged by the need to scale to large programs while executing fast and efficiently. There are also different aspects of various web and mobile applications that are difficult to model accurately, such as path conditions and deployment settings (e.g., browser version, back-end database, or the like). For the user, however, a significant usability barrier to such products and services is the need to review a prohibitive number of findings that are mostly false warnings. The user has to spend a long time on each finding, where typically false alarms are harder to prove as such than true vulnerabilities. This is because the user typically is in doubt whether there is something he or she is missing when concluding that the defect reported by the analysis is not a real one.
An available solution to reducing the size of the problem space is for the user to influence which findings the analysis reports and how those findings are reported. For example, by editing applicable security rules, the user can request that the system not report any potential vulnerability that involves a certain resource, such as database APIs. The user also can control the severity level of a particular security rule, which has the effect of adjusting or modifying the category and priority assigned to a security alarm. While configuring security rules in this manner provides some advantages in addressing the problem, there remains a need to address the usability problem of the reports generated by static security analysis.