build security into the software with sparrow
Post on 22-Jan-2018
250 Views
Preview:
TRANSCRIPT
Build Security into the Software
4Q/2016
Global Business
Company Overview
2
More than
1,250 customers
10+ customers
with 100K users
worldwide
Leaderin enterprise data-
centric security space
Building Security
into the
Data and Software60% with security consulting
or engineering
backgrounds
300employees
Founded in
June, 2000
Installed base of over
2.5Musers
Sparrow Overview
Key Features
Policy
Enforcement
Quick
Fix
Accurate
Analysis
Supporting various
programming
languages and
platforms
Dynamic policy
enforcement
Intelligent issue
clustering
Active
suggestion
Deep semantic
analysis and
supporting web
framework
All-in-One
SAST Solution
Quick Look at Sparrow
• WHISTLE (Analyzer Client)
⚡ Defining target programs and
policies
• SAE (Analysis Engine)
⚡ Analyzing program codes
• NEST (Analysis Management
System)
⚡ Showing details of error type,
path, functions, suggested code
changes and analysis reports
SAE (Sparrow Analysis Engine)
NEST (Analysis Management System)
Sparrow Server
Development Server/Client (w/ Source Code)
WHISTLE (Analyzer Client)
or Eclipse Plugin w/ Analysis Engine
Dynamic Policy Enforcement
• Enforce multiple policies dynamically to different projects,
users/groups and project phases
Deep Semantic Analysis
• Interprocedural analysis
(context and path-sensitive
analysis + symbolic execution)
• False path pruning by
constraint solving
• Semantic analysis (data-flow,
value, pointer, structure, and
class analysis) + abstract
interpretation for dead code
detection
• Syntactic analysis (comment,
pattern-based analysis)
Supporting Web Framework
• Analyzing spring/struts web
application
⚡ Control/dataflow of MVC
(model, view, control)
architecture
⚡ Annotation based configuration
⚡ Dependency injection
⚡ Configuration files
Accurate Analysis
Accurate Analysis (Cont’d)
Common WeaknessSparrow Vendor H
True False True False
HTTP response splitting 1 0
Private Array-Typed Field Returned From A Public Method 1 0
SQL injection 2 3 12
Path Traversal & Resource Injection 4 2
Null deference 74 2 3
Reliance on Untrusted Inputs in a Security Decision 1 0
Improper Check for Unusual or Exceptional Conditions 53 53
Resource Leak 109 19
Open Redirect 3 0
Improper Error Handling 6 6 2
Information Exposure Through an Error Message 57 53
Exposure of Data Element to Wrong Session 4 0
Use of Insufficiently Random Values 2 8
Integer Overflow 1 0
Leftover Debug Code 1 1
Information Exposure Through Comments 0 9 4
Cleartext Storage of Sensitive Information 0 1
Cross-site scripting 3 10
Cross-site Request Forgery 1 0
Hard coded password 2 5 0
Total 325 2 173 18
Tool Time Target program # of File Total LOC Executable LOC
Sparrow 4m 42sWebgoat 191 44,645 27,531
Vendor H 19m 22s
Intelligent Issue Clustering
• Clustering similar issues in groups that will allow organizations to
identify and fix the issues efficiently
Active Suggestion
• Not only identify software vulnerabilities, but also has an ability to
remediate code using automated code suggestions.
Technical Specification
ABAP,
Android,
ASP(.NET),
C/C++,
C#,
HTML,
Java,
JavaScript,
JSP,
Objective-C,
PHP,
SQL,
VB.NET,
VBScript,
XML
Languages
IDEsAndroid Studio,
Code Composer,
CodeWarrior,
Eclipse,
IAR,
IBM RAD,
IntelliJ IDEA,
Keil uVision,
Visual Studio,
Xcode
Platform
Windows, Linux,
Mac OS, AIX,
HP-UX, SunOS
Build
Management
GNU make,
Sun make,
Microsoft nmake,
…
Continuous
Integration
Source Control
Framework
Spring framework,
Struts framework,
Proframe framework
Git,
Microsoft Team Foundation,
Subversion,
Commercial Source Controls
Hudson,
Jenkins,
TeamCity
Timeline and Roadmap
• 2007-2016
⚡ OWASP Benchmark Score: 94%
*The average score of other solutions were 25%.
⚡ ISO26262 Certification
*Qualification of Software Tools for Automotive Industry
⚡ CWE Compatibility
2016 2018
Sparrow
Cloud v1
Sparrow v5
(SAST)
DAST v1 RASP v1
2017
IAST v1
Case Study
Customer in Financial Verticals
• Key fact
⚡ Industry: Financial/Banking
⚡ Revenue: US$22.7B (Assets: $204.3B)
⚡ Headcount: 100K
• Challenge
⚡ Develop and deliver an efficient and effective static application security
testing environment for all business applications developed, maintained
and operated by the Bank’s IT Department.
• Solution
⚡ Enforced secure coding policies set by IT and Security Group to all Dev
environments (approx. 1,450 developers)
⚡ Inspected more than 233 project source code for security and quality
⚡ Added reporting capabilities of security vulnerability and quality issue
related statistical analysis periodically (identified and fixed approx. 1,000
vulnerabilities annually since 2014)
Customer in Financial Verticals (Cont’d)
Source Code
Management Server
Operating
Server
Development
Servers
(233 Projects)
Sparrow
Servers
Developers
(1,450 Seats)
Admin
Transfer secure
source code
Check-in request
Approve/reject
check-in request
based on the secure
coding policy
Define/manage
secure coding policy
Review status of
projects and generate
reports
Request security
assessment results
of source code
Validate the
request
Sends analysis results
and pre-processed data
Managing code
analysis results
*4 active servers
Managing secure
projects
Execute code analysis
Review the analysis results
Fasoo has been successfully building its worldwide reputation as an EDRM (enterprise digital rights management
aka information rights management, IRM) solution provider with industry leading solutions and services. Fasoo
solutions allow organizations to prevent unintended information disclosure or exposure, ensure a secure
information-sharing environment, better manage workflows and simplify secure collaboration internally and
externally. Fasoo Enterprise DRM, a data-centric security solution safeguards and prevents unauthorized use of
digital files and provides persistent and reliable protection of the documents with effective file encryption,
permission control and audit trail technologies. Fasoo has successfully retained its leadership in the EDRM
market by deploying solutions for more than 1,250 organizations in enterprise-wide level, securing more than 2.5
million users. Fasoo also has foresight to plan for future expansion through new business models including static
code analysis/SAST (Sparrow), content-centric data lifecycle management solutions (Wrapsody) and intelligent
lifelog solutions (DigitalPage).
North America Headquarters
197 State Route 18 South, East Brunswick, NJ 08817, USA
Global Headquarters
396 World Cup buk-ro, Mapo-gu, Seoul 121-795, Korea
Web: www.fasoo.com
Email: inquiry@fasoo.com
Phone: (732) 955-2333 (NA HQ) | +82-2-300-9000 (Global HQ)
top related