We know that the majority of businesses regardless of their size rely heavily on software – the backbone of operations. The Covid-19 environment has brought disruption to all industries forcing businesses to augment their business models and the way they deliver goods and services, with online being the key and the cornerstone to business sustainability.
Whilst online has been the way to shop for many for sometime, this forced change in operations has introduced an increase in security risks and attack surface exposures far beyond what the cybersecurity landscape had seen prior to Covid-19.
Greater risk exposures have increased the need for a more frequent and vigilant approach to security services processes, driving the need for general and software vulnerability analysis to continually scan operating systems for potential security vulnerabilities.
This prototype provides a vulnerability analysis solution that generates unseen attack scenarios to assess the robustness of the software solution.
Software is considered the weakest target to damage individuals, organisations and governments. Software vulnerability analysis focuses on identifying security problems (security bugs) in the software either by checking software code (usually called static analysis) or by checking the software binaries (usually called blackbox testing). Most of the vulnerability analysis tools rely on scripted or hardcoded signatures that specifically frame how to detect these security vulnerabilities.
This prototype addresses multiple challenges to define all possible scenarios that a security vulnerability may cause. This prototype demonstrates that we can replace these hardcoded and manually crafted signatures with machine learning models that learn from examples of vulnerable code detecting security vulnerabilities in new examples that have not been seen previously.
The POC uses deep learning models trained on large datasets of different security vulnerabilities with an initial focus on C/C++ programs with input validation security vulnerabilities. We were able to use generative models combined with genetic algorithms to generate new attack scenarios not seen previously increasing the chances of detecting security problems before malicious users.
The aim of our prototype is to integrate the models into common software development IDEs and delivery pipelines automating the analysis process and identifying security problems as early as possible. This will benefit and assist:
- Software engineers
- Security engineers
in delivering robust yet streamlined secure software.
If you would like more information on this prototype and/or your industry is interested in collaborating contact prototype lead Mohamed Abdelrazek.
Oliveira, C., Aleti, A., Li, Y.F. and Abdelrazek, M., 2019, July. Footprints of fitness functions in search-based software testing. In Proceedings of the Genetic and Evolutionary Computation Conference (pp. 1399-1407).
Abstract: “Testing is technically and economically crucial for ensuring software quality. One of the most challenging testing tasks is to create test suites that will reveal potential defects in software. However, as the size and complexity of software systems increase, the task becomes more labour-intensive and manual test data generation becomes infeasible. To address this issue, researchers have proposed different approaches to automate the process of generating test data using search techniques; an area that is known as Search-Based Software Testing (SBST). SBST methods require a fitness function to guide the search to promising areas of the solution space. Over the years, a plethora of fitness functions have been proposed. Some methods use control information, others focus on goals. Deciding on what fitness function to use is not easy, as it depends on the software system under test. This work investigates the impact of software features on the effectiveness of different fitness functions. We propose the Mapping the Effectiveness of Test Automation (META) Framework which analyses the footprint of different fitness functions and creates a decision tree that enables the selection of the appropriate function based on software features.”