Technical Field
This disclosure relates generally to identifying and remediating application vulnerabilities using static analysis tools.
Background of the Related Art
Today, most organizations depend on web-based software and systems to run their business processes, conduct transactions with suppliers, and deliver sophisticated services to customers. Unfortunately, many organizations invest little to no effort in ensuring that those applications are secure. Web-based systems can compromise the overall security of organizations by introducing vulnerabilities that hackers can use to gain access to confidential company information or customer data.
To address this deficiency, static analysis tools and services have been developed. Static security analysis (or “static analysis” for short) solutions help organization address web and mobile application vulnerabilities through a secure-by-design approach. This approach embeds security testing into the software development lifecycle itself, providing organizations with the tools they require to develop more secure code. Static analysis tools are often used by computer software developers to provide information about computer software while applying only static considerations (i.e., without executing a computer software application). Such tools simplify remediation by identifying vulnerabilities in web and mobile applications prior to their deployment, generating results (reports and fix recommendations) through comprehensive scanning, and combining advanced dynamic and innovative hybrid analyses of glass-box testing (run-time analysis, also known as integrated application security testing) with static taint analysis for superior accuracy. A representative commercial offering of this type is IBM® Security AppScan®, which enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.
Typically, application analysis tools of this type produce security “findings” that summarize security vulnerabilities residing in application source code. A complete set of static security findings typically are modeled as “traces,” wherein a trace is a code execution path that starts with a “source” (which is vulnerable to malicious user input), passes through one or more internal nodes, and ends in a “sink” (which has a security impact to an application). After being generated by an analysis engine, these traces typically are then presented in a user interface of the security software. While these techniques provide very useful information to the developer, multiple traces may contain many common nodes that only differ in a small number of nodes. As a result, often the findings are difficult to consume, especially as the number of possible traces becomes very large. In such a circumstance, a user can easily lose focus on which findings should have priority for investigation and mitigation.