Hackfest 2023 - Back to the Future

How a Global Retail Hack Breathed Life Into Static Security Analysis
2023-10-13, 14:30–14:50, Workshops & Speed

Static Application Security Testing (SAST) enables organizations to detect vulnerabilities in code early; however, interviews with application security analysts indicate that SAST reports are often dense and include little to no visual aids.

Over the Winter and Spring of 2023, my research partner and I invented the Abstract Syntax Tree Reader and Analyzer (ASTRA) which responds to this need of a value-adding and intuitive visual aid for more rapid and thorough consumption of SAST insights. ASTRA is a collection of Python scripts that transforms certain parts of SAST documentation a Universal Graph Format which can be imported into many graphical visualization tools.

The key insight from our research is that vulnerability stack traces, which are spread sparsely in the report and often overlooked by security analysts, can be collected and graphed to provide new vulnerability information. Once graphed, principles of graph theory can be applied to make calculations. These include calculating the substructure entropy to discover surprising occurrences and calculating the modularity for the number of vulnerability communities in code repositories. Further, calculating the eigenvector centrality allows us to see the extent to which each individual vulnerability contributes to the overall vulnerability graph of the application.

As a result, the files contributing most to the vulnerability profile of the application will be identified. Sections of the applications that are most vulnerable will also be able to be identified. Our transformed ASTRA data has been successfully uploaded into standard 2D and 3D graphing engines, as well as Virtual Reality (VR) simulations so analysts are able to explore SAST results more intuitively, bringing more humanity and rigorous calculation into cyber analysis.

[Presentation Flow]

1...Introductions and Presentation Title - 1 min.

2...Laying Out the Problem Statement - 3 min.

3...Tool Demo - 2 min.

4...Capabilties and Use of Graph Theory - 5 min.

5...Virtual Reality Plug-In - 2 min.

6...Feasibility Study - 3 min.

7...Graph Theory - 2 min.

8...Conclusion, Invite Audience Members to Use Oculus Headset and Visualize (if permitted by Hackfest) - 2+ min.

[Introductions and Presentation Title]
My co-speaker and I will introduce ourselves.

[Laying Out the Problem Statement]
We draw the crowd in by telling the story of a security incident we were involved in for a retail company. We will describe the hunt for the elusive root cause during which we combed through application scanning reports that were generated in the last code review. We pulled it up, hoping it would provide the answers we needed. But we scrolled through the 1000+ page report, it became clear that it would take too long to manually analyze the data.

Determined to find a solution, we began exploring different ways to analyze the application report data. We tried sorting it by severity, looking for patterns and trends, and manually creating visualizations, but nothing seemed to provide the insight we needed. That’s when we stumbled on this research idea that promised to revolutionize one part of the way we solve cyber incidents.

In consequence, we developed ASTRA – Abstract Syntax Tree Reader and Analyzer. By leveraging graph theory and advanced data visualization techniques, the solution could transform the complex application data into easy-to-understand visualizations that would highlight the most critical vulnerabilities.

ASTRA builds an explorable world from endless reports of security documentation. When we run these reports through ASTRA code, the data is re-shaped into a graph. We turn the application’s files into the graph nodes while the lines in the graph (called graph edges) represent a connection between two files.

[Tool Demo]
We will play the GraphViz graphical representation and interact with it live in front of the Hackfest audience. The result of ASTRA is this visual representation of the application geometry. I can see the files come alive. I can interact with the most vulnerable files and see how they’re connected. The thicker the graph edge, the higher the number of vulnerabilities are being exchanged between the two files.

Instead of being tailored to answer a specific question, the beauty of the graph visualization is that it’s just the platform on which anyone can bring their domain expertise, their lens, and their hypotheses. Being set free to explore the application and bringing in more humanity to cyber analysis.

[Capabilities and Use of Graph Theory]
Our users can filter by how much certain files contribute to and bring down the security health of the application. We can automatically draw lines around the number of clusters or communities for the graphs and use anomaly detection to find surprising or unusual occurrences. The takeaway is that seeing and feeling the application geometry unlocks key security information.

During the live demo at Hackfest, we will run ASTRA on the architecture of the problematic application mentioned at the beginning of the presentation. The client was notified of faulty encryption. Now, instead of looking for it in a 1000-page report, we have the luxury of hovering our cursor over the encryption file. And seeing which files it’s connected to. Here, we see that the culprits jump out at us.

Our use cases expand beyond conducting a root cause analysis. ASTRA is an accelerator to architecture mapping and threat modeling. It engages developers in security awareness programs and enhances the application security tools that many organizations already use.

[Virtual Reality and Demo of Virtual Reality Experience]
What if we push the envelope even further? What if we could take anything you could experience on a screen and stretch it into your entire field of vision. Enter virtual reality where now we interact with the data as if we are a file on this graph, or maybe … you’re even the attacker’s payload.

With VR we can walk around in this world and interact with the once lifeless words in a thousand-page report. In this way we can shine a light on insights that were locked away in piles of information. Turning our attention to our screens, the main source file has many critical vulnerabilities, and we can see all of the other folders that it calls. The value in ASTRA is when it forces us to notice what we never expected to see.

Here, we will be providing our own Oculus headset for audience members to try out.

[Feasibility Study]
If cyber-crime were a country, it would have the third largest GDP in the world, at $6T dollars in 2021 and growing. So it’s not a surprise there’s a sizable market for defensive cyber tools. Application security tools have a market of $6B and this is the market we’re playing within. We see ASTRA as bundled with an existing application security tool.

ASTRA also satisfies the market trending toward automation. From our own study at a large French-Canadian bank, we found automation in threat modeling can reduce cycles by 35%. Adapting data to ASTRA, we can settle on a conservative ROI of 30%, which means 30% less human time spent on threat modeling, that can be channeled toward productive tasks.

To be clear, graph theory has never been applied before to application security vulnerability analysis. We conducted a literature review and market analysis, including interviews with subject matter experts. The use of graph theory for application security is not currently a feature in any tool on the market, nor in any paper, which we think could increase market attractiveness.

Our ASTRA technical fundamentals scale to 6000x. That is, our virtual reality simulation would only slow down at 70,000 connections or 6,000 files. The way forward for us is to make it better by bringing in more features, like color coding files in VR.

ASTRA was designed to help visualize threats, but our software can be applied to graphically visualize other kinds of attacks, like those over a network or hardware attacks like IOT devices.

Our key takeaways are that we can adopt the mindset of genuinely engaging with developers in addition to relying on text-based reports.

Graph Theory has never been applied before in vulnerability analysis and we are looking forward to what benefits ASTRA could bring.

Future of work
As people we have an innate desire to explore and learn on our own. We hope that vision behind ASTRA brings us all one step closer to that future of work.

If permitted by Hackfest, we will encourage enthusiastic audience members to come up and experience the virtual reality SAST visualization using a sanitized Accenture-owned Oculus headset that we will provide.

Are you releasing a tool? – Yes