Abstract: A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.

Abstract: At least a static analysis and a dynamic analysis to perform for a first software application are determined based, at least in part, on a profile of the first software application. The first software application is analyzed with the static analysis to generate static analysis results. The first software application is analyzed with dynamic analysis to generate dynamic analysis results. An assessment report is generated based on the static analysis results and the dynamic analysis results, wherein the assessment report indicates a security score of the first software application that is based, at least in part, on the static analysis results and the dynamic analysis results.

Abstract: A method and apparatus utilize a peer-to-peer network of security nodes collectively adhering to a protocol for inter-node communication. The system is comprised a plurality of first security nodes, at least one second security node, and at least one third security node. The plurality of first security nodes receive at least one of pre-trained detection models and rules, monitor at least one of a blockchain and connected devices for malicious behavior based on the received at least one of pre-trained detection models and rules, and report the malicious behavior. The at least one second security node creates and communicates the at least one of pre-trained detection models and rules to the plurality of first security nodes. The at least one third security node is informed by the at least one second security node of the reported malicious behavior.

Abstract: In a system for determining vulnerabilities associated with a web property, requests are communicated to network accessible servers associated with a set of one or more domains. Software components indicated in responses from the network accessible servers are identified. Vulnerability information is obtained for the software components. An aggregate vulnerability is determined for each network accessible server based on at least one of a ratio of software components of the network accessible server indicated as vulnerable by the vulnerability information to total software components used by the network accessible server and a frequency of use of those of the plurality of software components of the network accessible server indicated as vulnerable by the vulnerability information. Vulnerability of the network accessible servers is indicated based on the aggregate vulnerabilities.

Abstract: A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.

Abstract: To analyze open-source code at a large scale, a security domain graph language (“SGL”) has been created that functions as a vulnerability description language and facilitates program analysis queries. The SGL facilitates building and maintaining a graph database to catalogue vulnerabilities found in open-source components. This graphical database can be accessed via a database interface directly or accessed by an agent that interacts with the database interface. To build the graph database, a database interface processes an open-source component and creates graph structures which represent relationships present in the open-source component. The database interface transforms a vulnerability description into a canonical form based on a schema for the graph database and updates the database based on a determination of whether the vulnerability is a duplicate. This ensures quality and consistency of the vulnerability dataset maintained in the graph database.

Abstract: Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.

Abstract: A method comprises, based on receiving a request to analyze at least a first mobile application, scheduling the request for a first sandbox. The first mobile application is analyzed based on the request, wherein the analysis of the first mobile application comprises performing a behavioral analysis of the first mobile application within the first sandbox and performing a static analysis of the first mobile application. A first feature vector is generated based on data resulting from the analysis of the first mobile application. The first mobile application is determined to comprise malware based, at least in part, on comparing the first feature vector with at least a second feature vector, wherein the second feature vector was generated based on at least one of a static analysis and a behavioral analysis of malware.

Abstract: In a system for facilitating detection of vulnerabilities in a deployed software application, a software component (also called a self-scanning component) is provided for integration with the software application. The self-scanning component is configured to detect one or more conditions associated with the deployment of the software application and, upon the detection of such condition(s), to collect and/or transmit at least a portion of the application code to a vulnerability scanner. The self-scanning component can receive a vulnerability report from the scanner and can present the report or an analysis of the report. The presentation can be a display or inclusion of the report or analysis thereof in a log generated by the software application.

Abstract: A system for automating login can determine if a web artifact, such as a web page, includes a login form, by identifying a password field, a user ID field, and a submit button or another element providing the functionality to submit credentials for authorization. Submission of user credentials may be emulated, and access to password protected areas can be ascertained, e.g., by identifying any element that permits signing out from the password protected area.

Abstract: In a system for configuring a web application firewall, one or more parameters of the firewall are adjusted such that a test configured for exposing a vulnerability of an application protected by the application firewall is blocked by the firewall and another test configured to invoke functionality of the application but that does not expose or exploit any security vulnerability is not blocked by the firewall. A notification is provided to a user if such a firewall configuration is not found after a specified number of attempts.

Abstract: Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.

Abstract: In a system for attributing one or more vulnerabilities in a software application to one or more developers, information identifying the source of a vulnerability is obtained from a vulnerability report. From a repository, developer-related information associated with the identified source is obtained. One or more developers are selected from the developer-related information according to one or more specified rules, and the defect is attributed to the selected developer(s). Attribution of the defect may indicate that the developer(s) contributed to introduction of the defect or to remedying the defect.

Abstract: In a system for determining components of a software application from binary code thereof, one or more binary files are read without loading any component/object in the files in an execution environment that can execute the software application. A component in one of the files, designated as a primary component, is visited to identify a path specifying origin of a secondary component that is associated with the primary component, and the identified path is stored. Analysis of the path can indicate whether the secondary component is provided by the developer of the software application or by a different entity.

Abstract: A system for detecting XSS vulnerabilities includes determining the context in which a probe supplied as an input to a webpage or an application exists in a script associated with the webpage or application. A payload is generated based on, at least in part, the context such that during execution of the script, an executable code fragment in the payload can escape out of the context in which the probe exists and into a the global context of the script. The payload may include additional characters that prevent the payload from causing errors in the execution of the script.

Abstract: In a system for configuring a web application firewall, one or more parameters of the firewall are adjusted such that a test configured for exposing a vulnerability of an application protected by the application firewall is blocked by the firewall and another test configured to invoke functionality of the application but that does not expose or exploit any security vulnerability is not blocked by the firewall. A notification is provided to a user if such a firewall configuration is not found after a specified number of attempts.

Abstract: A system for automating login can determine if a web artifact, such as a web page, includes a login form, by identifying a password field, a user ID field, and a submit button or another element providing the functionality to submit credentials for authorization. Submission of user credentials may be emulated, and access to password protected areas can be ascertained, e.g., by identifying any element that permits signing out from the password protected area.

Abstract: In a system for facilitating distributed security and vulnerability testing of a software application, each development sandbox in a set of sandboxes receives a portion of the entire application, and the received portion may be tested based on an application-level security policy to obtain a pass/fail result. The portion of the application corresponding to a certain sandbox may be modified and rescanned (i.e., retested) until the modifications, i.e., development achieves functional and quality requirements, and a pass result is obtained. Thereafter, the scan results are promoted to a policy sandbox, where a compliance result for the entire software application can be obtained based on, at least in part, the promoted results. Other sandboxes may also perform their respective pass/fail testing using the promoted results, thus minimizing the need for synchronizing the code changes in different sandboxes before testing for security policy in any sandbox and/or during application-level scanning.

Abstract: In a system for protecting user accessible software applications, an application is executed in coordination with a security agent, and the security agent can monitor communications between users and the application. By analyzing one or more automation characteristics of the communications, and by comparing and contrasting these characteristics with those of known security scanners, the agent can determine whether the communication is likely associated with a malicious user. The agent can also monitor whether a communication attempts to change the value of a decoy unit, and can designate such communication as associated with a likely malicious user. By analyzing the contents of the communication, the agent can designate a threat level to the communication. The agent can block the communications likely associated with malicious users and/or having a designated high threat level, or can alert a system administrator, to protect the software application.

Abstract: Presently described is a decompilation method of operation and system for parsing executable code, identifying and recursively modeling data flows, identifying and recursively modeling control flow, and iteratively refining these models to provide a complete model at the nanocode level. The nanocode decompiler may be used to determine if flaws, security vulnerabilities, or general quality issues exist in the code. The nanocode decompiler outputs in a standardized, human-readable intermediate representation (IR) designed for automated or scripted analysis and reporting. Reports may take the form of a computer annotated and/or partially human annotated nanocode listing in the above-described IR. Annotations may include plain English statements regarding flaws and pointers to badly constructed data structures, unchecked buffers, malicious embedded code or “trap doors,” and the like. Annotations may be generated through a scripted analysis process or by means of an expert-enhanced, quasi-autonomous system.