Eliminating false positives in automated software vulnerability scanning
Regardless of which commercial code scanner you choose, findings for even moderately-sized code bases can range from anywhere between ten to even hundreds of thousands. This is bad enough, but made even worse by the “false positive problem” which can consume half (or even more) of the findings. Furthermore, the determination of the “false positive” is almost always a very labor intensive and time-consuming activity. Sentar’s Dynamic Analysis / Symbolic Execution (DA/SE) (TRL 4) solves this problem by using dynamic analysis to assess every possible code-execution path. Findings are tagged to the Common Weakness Enumeration (CWE) schema and are mathematically verified. When DA/SE identifies a finding – the analyst (or developer) knows for certain that it is there, which eliminates false positives.
DA/SE tackles the “false positive problem” in static scanning by using dynamic analysis to assess every possible code-execution path.
DA/SE uses Symbolic Execution to evaluate every possible path of code execution. DA/SE also uses the reliance of Functional Equivalence Analysis (FEA). FEA uses a formula of mathematics and computer science known as “Satisfiability Modulo Theory (SMT)”. It is the use of SMT that provides the mathematical validation of the presence of a vulnerability. We deploy DA/SE within a virtual machine environment.
DA/SE is innovative; unlike other dynamic scanning approaches – it does not utilize fuzzing. While fuzzing can speed up processing time, it often leads to a lack of coverage, and not every possible path of code execution is evaluated, thus leaving the door open for “false negatives” (vulnerabilities that aren’t identified). With DA/SE and its use of FEA and SMT, we have complete coverage of all possible paths of code execution, and a 100% certainty of the vulnerabilities that are discovered.
The Mission Impact
Reduced Development Timeline: Currently at TRL 6, as DA/SE is deployed, its use will save up to 50% of analyst/developers time currently being used to validate static scanner based findings.
Enhanced Assurance of Software: Due to the nature of DA/SE and the elimination of false positives, developers and analysts can rest easy knowing their software is evaluated honestly and can make further accurate steps to secure it.