DHS Funding Research for ThreadFix Hybrid Analysis Mapping (HAM)


We have been working on this for a couple of months now, but only recently got around to talking about it publicly. Denim Group was recently awarded a contract with the Departmernt of Homeland Security (DHS) to do some research on Hybrid Analysis Mapping (HAM.) Specifcally, we are looking at merging the results of separate static and dynamic scanning scans.

We will be publishing more results of this along the way, and the truly brave can watch the development in real-time at the ThreadFix Google Code site.

The original release is online here and the full text of the release is:

Denim Group, the leading secure software development company, today announced that it was awarded a Phase 1 Small Business Innovation Research (SBIR) contract of $100,000 by the Department of Homeland Security to improve the accuracy and comprehensiveness of software vulnerability analysis activities.  This will enable security analysts and software developers to fix software applications, a key exposure point into systems of all kinds, faster and more easily than ever before.

“As software systems grow more capable and complex, they become more susceptible to flaws that prospective adversaries can exploit,” said Kevin E. Greene, Department of Homeland Security Science & Technology Cyber Security Division Program Manager.   “As a result of this contract, the research by Denim Group will create a Hybrid Analysis Mapping framework that will accelerate the discovery, identification, and remediation of application vulnerabilities to help further protect software systems from sophisticated cyber-attacks.  This technological innovation is a pivotal investment in protecting software systems that power our nation’s critical infrastructure and e-commerce industries.”

When software applications are being built, a key part of the software development life cycle is testing the software to validate that any given application is free from security-related flaws.  Conducting multiple types of software security analysis can be valuable to both find more vulnerabilities as well as reveal more data about previously identified vulnerabilities. This process consists of running dynamic, static and manual tests on each application in order to discover the majority of the vulnerabilities.  Static scans analyze an application’s source code or binary code. Dynamic scans test software at runtime and are also known as web application scanning, penetration testing, and/or black box testing.  The increased data can be valuable when it provides deeper insight into vulnerabilities; however, the increased data can also create challenges if it makes the overall problem harder to manage by requiring too much manual analysis or when it highlights a large number of low value or low priority vulnerabilities.

This research contract empowers Denim Group to develop a risk management framework called Hybrid Analysis Mapping that normalizes the results between automated static and dynamic security scans of web applications. According to the Department of Homeland Security Phase One SBIR Solicitation, no framework or standard currently exists that can map and correlate the vulnerability output from open source or commercially available static analysis tools with open source or commercially available dynamic analysis tools.  The Hybrid Analysis Mapping framework will be designed to correlate and merge the results of these test results.  This will significantly ease the process because many times both types of scans will find the same logical issue but label those issues differently.  In fact, according to vulnerability research from White Hat Security and Veracode, on average, it can take some organizations in excess of six months to resolve serious vulnerabilities.  The proposed Hybrid Analysis Mapping framework will systematize matching dynamic and static results against each other, saving substantial time and money by enabling a wide variety of applications to be safely put into operation as quickly as possible.

Centralizes application vulnerability data

Recognizing the severity of these problems, Denim Group has been conducting a multi-year research effort in this area.  The company used this research to create ThreadFix, an open source software vulnerability management system launched last year that collects, normalizes and centralizes application vulnerability data in a single location. ThreadFix has already made it much easier to manage software security programs within organizations by aggregating vulnerability test results into a centralized, comprehensive console to reveal the security status of all applications within an organization. The aggregated static, dynamic and manual penetration testing, code review and threat modeling results are then exported into the defect trackers already being used by the company’s software developers, injecting the resolution of these security tasks into their regular work flow.  ThreadFix also auto-generates web application firewall rules to protect corporate assets during the remediation process, increasing the company’s security posture.

The SBIR contract will empower Denim Group to do the research necessary to take ThreadFix to the next level.  Hybrid Analysis Mapping will enable ThreadFix to more accurately correlate the results of static scans against dynamic scans to de-duplicate results, delivering another significant breakthrough for today’s industry professionals. In addition, because ThreadFix is an open source product, the results of Denim Group’s research will be available for free to spur wider adoption and make it much easier and faster to fix this serious security issue in the industry as a whole.  This is important because cyber attacks against the U.S. continue to increase. In 2011 alone, the DHS US-CERT received more than 100,000 incident reports, and released more than 5,000 actionable cyber security alerts, with many of these being software-related vulnerabilities.  Further  illustrating the magnitude of this trend, 2012 numbers reflected a 35 percent increase in the number of cyber attacks.

The SBIR Award Confirms The Importance Of This Research

“ThreadFix was created to fill a perceived gap in secure application development, and it is gratifying to see the government confirm the importance of the research and the resulting product we’ve already developed,” said Dan Cornell, CTO of Denim Group.  “We’ve endeavored to make ThreadFix as easy to use as possible in order to change this dynamic in the industry.  Furthermore, ThreadFix will enable security analysts and developers to get more value out of the static and dynamic assessment tools they have already purchased.  As a result, security analysts can get runtime-analysis-like results with an open sourced product without having to purchase all new products – in fact, this research will let ThreadFix deliver equivalent results to better secure their applications against possible attacks.”

An Investment in Vulnerability Analysis Innovation

The SBIR program was created to invest federal research funds into innovative technological research that could solve critical American priorities to help build a strong national economy.   SBIR agencies award monetary contracts in phases I and II of a three-phase program.  Once the technical merit and feasibility of Denim Group’s initial Hybrid Analysis Mapping research is proven, the company may be awarded a Phase II contract of up to a $750,000 to expand its research into capabilities that can be incorporated into both commercial and government security operations.  In fact, companies such as Symantec, Qualcomm, DaVinci and iRobot were started with R&D funding from this program.

About the Department of Homeland Security Science and Technology Directorate (S&T)

The Department of Homeland Security Science and Technology Directorate mission is to strengthen America’s security and resiliency by providing knowledge products and innovative technology solutions for the 22 different federal agencies in the DHS collectively referred to as the Homeland Security Enterprise.  S&T contributes to enhancing the security and resilience of the Nation’s critical information infrastructure and the Internet by (1) driving security improvements to address critical weaknesses, (2) discovering new solutions for emerging cyber security threats, and (3) delivering new, tested technologies to defend against cyber security threats.  R&D activities are focused on the essential characteristics needed to achieve desired end-states of trustworthy cyber systems while also accelerating the transition of new cyber security technologies into commercial products and services.  Please visit us at http://www.dhs.gov/st-directorate-organization.

Contact us to talk about ways this research and ThreadFix can help you get the most out of the scanning tools you’re using in your organization.


dan _at_ denimgroup.com


About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.