Abstract: A static analysis tool is augmented to provide a mechanism by which a large set (and potentially all) security warnings output from the tool may be represented to the user in a manner that is manageable for consumption by the user. According to this disclosure, a static analysis is run on a program to generate a set of security warnings. Using dynamic programming, the set of security warnings output by the static analysis are mapped onto a collection of fix points, wherein a fix point captures a location within the program that should be visited to fix a set of warnings that map to that fix point. The fix points represent the highest probable locations of particular potential vulnerabilities in the program. They are computed in a parametric manner, preferably according to user preferences, by solving an instance of a “knapsack” problem.

Abstract: A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.

Abstract: A static analysis tool is augmented to provide a mechanism by which a large set (and potentially all) security warnings output from the tool may be represented to the user in a manner that is manageable for consumption by the user. According to this disclosure, a static analysis is run on a program to generate a set of security warnings. Using dynamic programming, the set of security warnings output by the static analysis are mapped onto a collection of fix points, wherein a fix point captures a location within the program that should be visited to fix a set of warnings that map to that fix point. The fix points represent the highest probable locations of particular potential vulnerabilities in the program. They are computed in a parametric manner, preferably according to user preferences, by solving an instance of a “knapsack” problem.

Abstract: A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.

Abstract: A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.

Abstract: A cloud-based static analysis security tool accessible by a set of application development environments is augmented to provide for anonymous knowledge sharing to facilitate reducing security vulnerabilities. To the end, a crowdsourcing platform and social network are associated with the application development environments. Access to the social network platform by users of the application development environments is enabled. The anonymous access enables users to post messages without exposing sensitive data associated with a particular application development environment. As the static analysis security tool is used, a knowledgebase of information regarding identified security findings, fix priorities, and so forth, is continuously updated. Social network content (e.g., in the form of analytics, workflow recommendations, and the like) is then published from the knowledgebase to provide users with security knowledge generated by the tool from the set of application development environments.

Abstract: A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.

Abstract: A method includes a computing system reading a rule file that includes one or more rules having specified paths to methods, such that each method corresponds to one of a sink, source, or sanitizer. The method includes the computing system matching the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes the computing system, using the sinks, sources, and sanitizers found by the matching, performing a taint analysis to determine at least tainted flows from sources to sinks, the tainted flows being flows that pass information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also shown.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.