In a previous post, we examined how cognitive computing can greatly reduce the false positives and noise that are inherent in static application security testing (SAST). We also showed how the reduction of false positives can be done without impacting language coverage — i.e., decreasing the rule set — which is the approach of most application security offerings.

Although intelligent findings analytics (IFA) represents a key breakthrough in application security testing, it only maintains the breadth of coverage that the static analysis language processor produced.

ICA: Taking Application Security Testing a Step Forward

Intelligent code analytics (ICA) takes IFA a major step forward by using cognitive computing to extend the coverage of a language. This is extremely important because coding languages are rapidly evolving, with new frameworks appearing seemingly every day. A new language version such as Java 8 can introduce tens of thousands of new application program interfaces (APIs).

Traditionally, a trained security expert would review each of these APIs to see if it is an input (a source) or an output (a sink), and then determine whether the code might carry a vulnerability (a taint). New frameworks make this process even more complex. By making coding simpler for developers, they make reviewing more opaque to testing systems. Identifying these APIs and creating rules around them, referred to as markup, can take weeks or more, leaving gaps in the testing system’s coverage.

ICA addresses and virtually eliminates this issue by applying machine learning to the identification and markup of APIs. Most amazingly, ICA does this on the fly. Every time it encounters a new API or framework, it instantly determines whether it is taintable and creates a rule. This is then used by the analysis engine to determine whether the application’s data flow contains a real vulnerability or not.

ICA ‘Just Works’

We have a phrase to describe how these results are achieved: “It just works!” While there is certainly more detail behind this statement, the beauty of applying cognitive technology to application security testing is that you don’t need to know all the details — you can simply look at the results.

With IFA, we experienced machine accuracy that met or exceeded the results of trained experts performing the same analysis. Similarly, the results of ICA are equally impressive and likewise meet or exceed the results of human efforts. As with IFA, we can attribute this to the fact that people working on complex problems for hours at a time naturally become tired and tend to make errors, while machines complete the same job in seconds and never tire.

Enhance Speed and Coverage With IFA and ICA

Together, IFA and ICA utilize cognitive computing to address key areas of application security: speed and coverage. Both are critical to building a successful DevOps application security program. But this is just the beginning. Where will cognitive computing take us next in making your application security program more effective? Watch this space to find out!

For additional information about AppScan’s cognitive application security testing capabilities, watch this brief animated video:

Comment wrap
Further Reading
article-img
Secure DevOps | September 26, 2022
Prioritizing the Fix with HCL AppScan and Auto Correlation
Web applications face an increasing number of security threats every day. Fortunately, application security testing platforms like HCL AppScan are constantly evolving to recognize new vulnerabilities.
article-img
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
article-img
Secure DevOps | June 6, 2022
Guide To Reliable Application Security Testing Software
Looking for a secure solution for fast, accurate, and agile application security testing? You can come across reliable market-leading web application security testing facilities that quickly detect system vulnerabilities. Read the blog to know more.
Close
Filters result by
Sort:
|