SBIR-STTR Award

Two methods for analyzing software security risks are dynamic application security testing (DAST) - an outside in perspective - and static application security testing (SAST) - and inside out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable. Correlating the results of both can overcome these individual challenges. Secure Decisions proposes Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping to (1) improve the speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques -- dynamic analysis, dynamic tracing, static analysis and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified, risk management framework. We will build a Phase I TRL4 prototype to evaluate the technical feasibility of our approach and demonstrate results. Our approach will leverage current work on normalizing and correlating SAST tools and dynamic tracing of runtime execution to prioritize SAST findings. This will also reduce technical and schedule risks. At the end of Phase II we will deliver a web-based tool to be deployed, used and evaluated in the Software Assurance Marketplace (SWAMP) research environment. A commercial version will be directed at software development teams and security auditing organizations.

Secure Decisions is developing a software assurance risk management technology called "Code Ray" to: (1) Improve the speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid application security testing (HAST) techniques -- dynamic analysis, dynamic tracing, static analysis and contextual analysis. (2) Enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to industry and regulatory security standards. (3) Improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a risk management framework with risk metrics, dashboard, visual analytics, and reporting. (4) Support the education of programmers and security analysts in HAST. We start Phase II with a working TRL4 prototype completed at the end of Phase I. We will iteratively develop and deliver three progressively more-mature versions of Code Ray to the Software Assurance Marketplace (SWAMP), reaching TRL8 by Month 24. We will incrementally add functionality from each of the iterations to the existing Code Dx product, and integrate HAST capabilities in a Security Information Event Management (SIEM). We will also deliver an educational version of Code Ray to assist in teaching secure coding practices. During the proposed 18-month Phase II Option, commencing in Month 25, we will subject Code Ray to full-scale operational use in the SWAMP and in several DHS operational deployments. We will use feedback from the SWAMP users, educators, and operational sites to reach TRL9 within the Phase II Option period.