Naeem Budhwani is a cyber defense consultant at Accenture’s Cyber Attack Simulation (CAS) practice. He was previously an associate in PwC Canada’s Cybersecurity & Privacy practice. Across these roles, Naeem has consulted for over a dozen clients, from boutique insurance firms looking to develop IR playbooks to multi-national technology giants undergoing an application security transformation. He is regarded as a Canadian subject matter expert in threat modeling, having been brought in to conduct executive interviews for Crown Corporations and provide large-audience technical application security training to financial institutions.
Naeem has also delivered guest lectures on application security at Seneca College and York University. He holds a bachelor’s in applied mathematics and computer science from the University of Western Ontario.
How a Global Retail Hack Breathed Life Into Static Security Analysis
Static Application Security Testing (SAST) enables organizations to detect vulnerabilities in code early; however, interviews with application security analysts indicate that SAST reports are often dense and include little to no visual aids.
Over the Winter and Spring of 2023, my research partner and I invented the Abstract Syntax Tree Reader and Analyzer (ASTRA) which responds to this need of a value-adding and intuitive visual aid for more rapid and thorough consumption of SAST insights. ASTRA is a collection of Python scripts that transforms certain parts of SAST documentation a Universal Graph Format which can be imported into many graphical visualization tools.
The key insight from our research is that vulnerability stack traces, which are spread sparsely in the report and often overlooked by security analysts, can be collected and graphed to provide new vulnerability information. Once graphed, principles of graph theory can be applied to make calculations. These include calculating the substructure entropy to discover surprising occurrences and calculating the modularity for the number of vulnerability communities in code repositories. Further, calculating the eigenvector centrality allows us to see the extent to which each individual vulnerability contributes to the overall vulnerability graph of the application.
As a result, the files contributing most to the vulnerability profile of the application will be identified. Sections of the applications that are most vulnerable will also be able to be identified. Our transformed ASTRA data has been successfully uploaded into standard 2D and 3D graphing engines, as well as Virtual Reality (VR) simulations so analysts are able to explore SAST results more intuitively, bringing more humanity and rigorous calculation into cyber analysis.