Case Study: Eliminating False Positives in Automated Software Vulnerability Scanning

Subject: DASE

The Challenge:

In static scanning, possibly the most prevalent issue is the “false positive problem”.  Regardless of which commercial code scanner you choose, findings for even moderately-sized code bases can range from anywhere between ten to even hundreds of thousands.  This is bad enough, but made even worse by the “false positive problem” which can consume half (or even more) of the findings.  Furthermore, the determination of the “false positive” is almost always a very labor intensive, and time-consuming activity.  Sentar’s Dynamic Analysis / Symbolic Execution (DA/SE) (TRL 4) solves this problem by using dynamic analysis to assess every possible code-execution path.  Findings are tagged to the Common Weakness Enumeration (CWE) schema and are mathematically verified.  When DA/SE identifies a finding – the analyst (or developer) knows for certain that it is there, which eliminates false positives.

The Solution:

DA/SE uses Symbolic Execution to evaluate every possible path of code execution.  DA/SE also uses the reliance of Functional Equivalence Analysis (FEA). FEA uses a formula of mathematics and computer science known as “Satisfiability Modulo Theory (SMT)”.  It is the use of SMT that provides the mathematical validation of the presence of a vulnerability.  We deploy DA/SE within a virtual machine environment. 

DA/SE is innovative; unlike other dynamic scanning approaches – it does not utilize fuzzing.  While fuzzing can speed up processing time, it often leads to a lack of coverage, and not every possible path of code execution is evaluated, thus leaving the door open for “false negatives” (vulnerabilities that aren’t identified).  With DA/SE and its use of FEA and SMT, we have complete coverage of all possible paths of code execution, and a 100% certainty of the vulnerabilities that are discovered.

The Mission Impact:

•     Reduced Development Timeline: Currently at TRL 6, as DA/SE is deployed its use will save up to 50% of analyst/developers time currently being used to validate static scanner based findings. 

•     Enhanced Assurance of Software: Due to the nature of DA/SE and the elimination of false positives, developers and analysts can rest easy knowing their software is evaluated honestly and can make further accurate steps to secure it.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Stay up to date with the latest news.