Chapter 4 by Micro Focus
Business ●●○○○
Technical ●●●○○
Listen to the audio version
In application security, artificial intelligence will continue to focus on automating all phases of the application development life cycle. Increased efficiencies and a reduction in low-value human effort will result from advances in analytics, training efficiency, and a more widespread use of high-performance computing or even quantum computing — although human oversight will remain critical.
In recent years, it became clear that the methods for developing, revising, and maintaining applications within an organization were no longer fit for purpose. Historically, the development team would create a new or updated version of an application on a set schedule to coincide with a change window, but this approach has become increasingly problematic. The rate of change has accelerated to the point where waiting for these windows has become impossible because development and operations have become increasingly disjointed in their approach and goals. In this model, security is typically considered at the end of a development cycle, where a late stage build of an application undergoes a manual code review or penetration test prior to being deployed to production. If issues arise at this stage, it is possible that an entire cycle will be lost while the issue is resolved or mitigating measures such as a WAF or strict network/system access rules are implemented.
Now that teams recognize the need for development and operations teams to work in tandem, the DevOps mindset has taken hold. With DevOps, the speed and volume of application releases and revisions has accelerated. It has been further expanded with concepts such as microservices, which take advantage of cloud infrastructures and allow for applications to be built up out of standard interchangeable functions.
This speed and greater scale of development has led to a decoupling of security testing from the development cycle. Otherwise, adding code reviews and penetration testing to any given development sprint would not only slow things down dramatically, but would also add unacceptable costs. To address this change, application security testing solutions have evolved to ensure that the security side of the equation keeps up with DevOps, giving rise to the term DevSecOps.
Several different approaches are included under the Application Security Testing umbrella. Each works independently or in conjunction with the others to provide the security required during all phases of software development. These approaches include:
While these tools have helped to increase the pace of security testing in order to keep up with development, there are still areas that require intervention and time in order to ensure the correct level of security.
SAST tools are increasingly being designed to be as seamless as possible. They are also being integrated into IDEs (integrated development environments) to automate the process of submitting code for analysis, which is a critical component of version control. This means that developers can incorporate this step into their own sprints without involving other teams or incurring delays.
However, SAST tools don’t allow for complete automation of the code analysis. By themselves, they still require a level of human interaction to audit the result. As an example, Fortify Static Code Analyzer can take source code and provide a list of vulnerabilities in the code based on severity. This is a valuable level of automation, but it doesn’t consider whether the vulnerabilities are exploitable. This is because it doesn’t take into account any policies or mitigations in place or whether the code is actually reachable to be exploited. This is typically where human intervention is required to validate each vulnerability and determine which ones are serious enough to require resolution. This is a time-consuming process which, while necessary, doesn’t add value to the development cycle. Hence, it’s desirable to reduce this time and effort as much as possible.
To add context to the human effort involved, many organizations find that 50 percent of the time spent on application security testing is taken up during auditing. To illustrate this, look at this simplified application example:
This manual effort is slow and of low value in the development cycle, which is where AI and machine learning are of great benefit. The expertise and time required to verify which vulnerabilities require action is limited—and even organizations with the best security audit teams find that the skills and time available are outstripped by the growth in potential software flaws that arise from prolific and rapid development cycles.The next generation of SAST tools are looking to leverage machine learning techniques to extend the reach and better scale the skills of the security team.
Micro Focus addresses this issue through the Fortify scan analytics platform. For the past three years, we have been employing machine learning techniques in the security audit process. This initially started with the Fortify on Demand SaaS platform, and has now been integrated into the on-premises versions as well.
Fortify Audit Assistant identifies relevant exploitable vulnerabilities specific to any organization, via new static scan results. It does this by employing scan analytics machine-learning classifiers that are trained using anonymous metadata from scan results (which previously had to be audited by software security experts). The scan analytics platform delivers this capability as a web service in the cloud, enriching SCA scan results with audit predictions with up to 98 percent accuracy.
Fortify Audit Assistant enables machine learning-assisted auditing and leverages the security expertise of the entire Fortify security community, without transmitting any sensitive information. Audit Assistant transmits anonymized metadata derived from the scan results (called anonymous issue metrics). Issues indicated by the proven Fortify Static Code Analyzer are parsed by Fortify Audit Assistant into non-sensitive attributes. These attributes include vulnerability category, severity, and measures of code and software security vulnerability complexity—such as the number of inputs, branches, method output types, programming language, file extension, and the analyzer that found the issue. In the case of training data, the auditor’s previous determination is also included. The anonymized issue metrics are sent to Fortify scan analytics to train and apply machine-learning classifiers, which identify issues with up to 98 percent accuracy.
Figure: Fortify Audit Assistant
After processing a new static scan result, Fortify Audit Assistant adds its prediction and prediction confidence to the scan results. Based on an organization’s risk tolerance and preconfigured confidence thresholds, the issues will then be categorized as Exploitable, Indeterminate, or Not an Issue.
Fortify Audit Assistant dramatically reduces the human time and effort involved in identifying non-issues. For example, those that aren’t exploitable due to mitigations already in place, those that are in code that isn’t reachable by design, those that are accepted as part of the organization’s risk profile, and those that are false positives.
Fortify Audit Assistant can achieve:
This approach and the results achievable do not fully remove the need for human experience. There will always be areas where human context, skill, and experience will be required to ensure that audits are as accurate and valuable as possible. However, by applying the machine learning techniques, there is a dramatic reduction in the amount of human time and effort required, enabling security teams to focus their efforts on a much smaller number of issues and keep pace with development cycles.
There are many examples of how the use of Fortify Audit Assistant has improved the auditing phase of application security testing to speed up and reduce the manual effort required:
Fortify Audit Assistant is a discreet add-on module for Fortify that can be enabled to provide the automatic prediction of issues. Once it is enabled, you can choose whether it should be trained using private data only or in conjunction with the Fortify Security Community Cloud data.
Fortify Audit Assistant will tag issues with an automated prediction. These tags can be customized in line with an organization’s needs, as seen below:
Figure: Fortify Audit Assistant Tags
All past scan data for the organization can also be fed into Fortify Audit Assistant to train the classifiers, which adds in crucial past audit knowledge unique to that organization. Once trained and ready, Fortify Audit Assistant can then simply be enabled to provide automated predictions.
Figure: Fortify Audit Assistant automation options
Fortify Audit Assistant can be applied manually to a scan or auto-applied to ensure that all relevant static scans have the predictions applied automatically.
When using Fortify Audit Assistant manually, the results can be seen almost instantly and predictions are easily identified by the small gavel icon next to each item.
Figure: Fortify Audit Assistant used manually
The results are also available in the Audit Work Bench, enabling security auditors to easily see whether the issue is actionable and how the prediction was achieved. The workflow is unobtrusive. It is designed to make the audit process run smoothly and reduce the overall time that the audit of an application requires.
Figure: Audit Work Bench
Accuracy and Training
When using AI and ML techniques to reduce human effort, there are some important considerations that need to be taken in to account. First, ensure that the techniques applied are using accurate information and analysis, and that they are kept well trained and up to date.
Any machine learning technique is only as good as the information it is fed. If the audit issue information added is only correct 50 percent of the time, then the accuracy of any predictions will be no higher than 50 percent.
For this reason, Micro Focus maintains Fortify Community Intelligence. This is an intelligence source that is maintained using Fortify on Demand auditors and a team of dedicated software security researchers. Customers opt into this community and share their issue metrics, so that the pool of results is broad and can give the best possible predictions. Additionally, this intelligence source is kept current with the most recent rules and zero-day information to ensure that the Classifiers remain well trained. While this approach does not guarantee 100 percent accuracy, it does ensure that predictions are not skewed by relying on a single set of low-accuracy training data rather than on a variety of sources of data that can be curated.
Micro Focus also employs private intelligence, in which historical scan results for an organization are imported into Fortify Audit Assistant so that the Classifier can be trained on organization-specific data.
By combining the two types of intelligence, an organization can achieve the best results. They not only have access to Classifiers trained by community intelligence, but also to historical scan data and training to ensure that the results are tailored to the organization's specific needs.
Fortify is able to achieve a high level of results through the use of these approaches in terms of non-issue reduction, accuracy, and false negative reduction.
Privacy
Data and privacy have become increasingly important in recent years. And with a rising number of regulations, businesses are becoming more and more aware of what and where their data is.
When machine learning techniques are used, it is common for data to be transmitted to a central (usually cloud) location for analysis and storage for the system's reference and training purposes. This must be done anonymously, as no organization wants potentially sensitive information to be stored and used in an uncontrolled manner.
We accomplish this by utilizing only anonymous issue data and metrics. By doing so, the Fortify platform ensures that personally identifiable customer data is not stored outside of an organization.
AI in application security will continue to focus on removing the manual effort involved in all elements of the application development life cycle. Improvements in analytics, training efficiency, and a broader use of high-performance computing or even Quantum computing will bring greater efficiencies and reduce the low- value human effort—although human oversight will continue to be invaluable.
In the wider context of securing applications, there are many areas to consider. This includes the security of the data that the application touches, the entities that interact with the application (whether they are human or other applications or devices), and the infrastructure that the applications reside in.
Increasingly, behavioral analysis will play a strong role in monitoring all the elements surrounding any running application. It is this constant monitoring of the behavior of all the elements—from device, application, user, API, etc.—that will enable organizations to go beyond security testing and ensure that anomalies, risks, and malicious behaviors can be identified and remediated in all the elements that surround the applications they have developed.
Micro Focus is already moving in this direction with the acquisition of Interset, which now forms the basis of ArcSight Intelligence. ArcSight Intelligence uses unsupervised machine learning to understand and baseline the behavior of all entities in an environment and then detect anomalies and risks. Over time, it is likely that this will become a strong element of the protection of applications that have made it through to production.
Figure: ArcSight Intelligence
John Bloodworth
John has been a Cyber security professional for over 25 years. He has built a long track record in many disciplines including Endpoint Security, Network Security, Vulnerability Management, Data Protection, Cloud Protection, Encryption, SecOps and Application Security.
Over the 25 years he has held roles in 3rd line support, consulting, sales, pre-sales, management, and alliances for companies such as McAfee, Symantec, NTT and Qualys.
For the last 15 years John has been focused on helping Global Sis and MSSPs to build out strong Cyber security service lines and go-to-market approaches.
Micro Focus delivers a broad portfolio of enterprise software that help bridge the gap between existing and emerging technologies so our 40,000 customers worldwide can run and transform at the same time. To build and deliver better software faster, you need a “Quality everywhere” culture. Our continuous quality and security solutions help you make this cultural shift—testing web, mobile, and enterprise applications to deliver high-quality experiences to keep, grow and expand your business.
Visit us at www.microfocus.com
