Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping

Award Information
Agency:
Department of Homeland Security
Branch
n/a
Amount:
$99,965.40
Award Year:
2013
Program:
SBIR
Phase:
Phase I
Contract:
HSHQDC-13-C-00036
Award Id:
n/a
Agency Tracking Number:
HSHQDC-13-R-00009-H-SB013.1-002-0002-I
Solicitation Year:
2013
Solicitation Topic Code:
H-SB013.1-002
Solicitation Number:
HSHQDC-13-R-00009
Small Business Information
6 Bayview Avenue, Northport, NY, 11768-1502
Hubzone Owned:
N
Minority Owned:
N
Woman Owned:
N
Duns:
602262222
Principal Investigator:
KennethProle
ken.prole@securedecisions.com
Business Contact:
KellyBennett
kelly.bennett@avi.com
Research Institute:
n/a
Abstract
Two methods for analyzing software security risks are dynamic application security testing (DAST) - an outside in perspective - and static application security testing (SAST) - and inside out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable. Correlating the results of both can overcome these individual challenges. Secure Decisions proposes Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping to (1) improve the speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques -- dynamic analysis, dynamic tracing, static analysis and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified, risk management framework. We will build a Phase I TRL4 prototype to evaluate the technical feasibility of our approach and demonstrate results. Our approach will leverage current work on normalizing and correlating SAST tools and dynamic tracing of runtime execution to prioritize SAST findings. This will also reduce technical and schedule risks. At the end of Phase II we will deliver a web-based tool to be deployed, used and evaluated in the Software Assurance Marketplace (SWAMP) research environment. A commercial version will be directed at software development teams and security auditing organizations.

* information listed above is at the time of submission.

Agency Micro-sites


SBA logo

Department of Agriculture logo

Department of Commerce logo

Department of Defense logo

Department of Education logo

Department of Energy logo

Department of Health and Human Services logo

Department of Homeland Security logo

Department of Transportation logo

Enviromental Protection Agency logo

National Aeronautics and Space Administration logo

National Science Foundation logo
US Flag An Official Website of the United States Government