SATriage is the first automated defect analysis process that allows the developer to fully understand each defect and its context, importance, and risk factors. Our intelligent interactive platform uses an innovative suite of weighting algorithms, coupled with proprietary defect relationship data, to accurately reduce false positives, identify the software defects most likely to be exploited, and highlight the greatest security concerns specific to an application. SATriage quickly analyzes defects based on an application’s context and assigns a degree of urgency to each one. Context sensitivity is critical in triage to highlight the defects that are truly urgent to an application, since defect importance differs substantially based on application architecture, functionality, and usage patterns.
WHAT WE OFFER
The SATriage process starts with importing results from numerous ASTs, while normalizing, correcting, and merging the results.“ 84% [of organizations] report challenges due to too many AppSec tools, making DevOps integration difficult. 43% of companies report that they have between 11-20 AppSec tools in use, while 22% said they use between 21-50.” [10] Each tool has its own nomenclature and taxonomy. In addition, CyberSagacity has found that 25% of reported defects are mis-classified by AST tools.
Once defect reports are imported, normalized, and corrected, SATriage performs a detailed analysis of each defect:
Determining the likelihood and importance of every possible consequence of each defect.
▷
Performing false positive assessment, offering specific quick check validation information.
▷
Performing attack vector and ease-of-exploitation analyses to determine likelihood of attack.
▷
Triaging and prioritizing results, based on application context, severity & likelihood of consequences, ease- of-exploitation, and confidence in result.
▷
Once a defect analysis is complete, SATriage sorts the defects in order of importance.
SATriage’s clear and easy to read reports describe the full context for each defect: attack patterns and ease of exploit, likelihood and severity of consequences, confidence in the result, importance to application context, security and operational risks, and the impact on application architecture. By understanding all contextual attributes of each defect, SATriage can zero in on the defects that are in that rare intersection of causing severe consequences, having importance to the application, are likely to be a true positive and are easy to exploit. The result is that SATriage can reduce 50,000 - 250,000 defects down to a few dozen that are truly urgent to an application - all without missing a single high priority issue, as shown in the screenshots and sample results table.
Defect prioritization for a mature open-source project
Table 1. SATriage results for 6 mature open-source project results; defects found by 2 popular commercial SAST.
A
Java, Javascript
597
62,993
212
3
C
Java, Python, Javascript
1087
34,780
158
18
X
Java, Python, Javascript
327
235,838
21
1
S
Java, Javascript
325
8,056
99
91
P
C/C++
422
10,545
83
448
K
C/C++
247
7,444
11
3
Open Source
Languages
Size (KLOC)
Defect Count
SATriage Severe
SATriage Moderate
Defects exploited by Deceptive Interactions (spoofing)