Aspect Security SATE Submission Details



0. Background

Aspect Security is participating in the SATE with our static analysis "product." Aspect specializes in application security services and does not sell any actual products. However, we do perform a large amount of static analysis, verifying the security of millions of lines of code every month. Aspect's has very deep experience analyzing Java EE applications, and is responsible for securing some of the most critical financial applications in the world.

So we entered our "ASC 2.0 platform" which stands for "Application Security Consultant" and is nothing more than human code reviewers. We hope to find out the differences in the results gained from a human review when compared to those generated by the real tools in the competition.

Aspect has done our absolute best to comply with all the rules of the exposition.




1. Product Description

Here is the tongue-in-cheek description of our "product"...

Aspects ASC 2.0 Static Analysis Platform

Aspect Security is the leading manufacturer of the most successful static analysis technology known to man. Our Application Security Consultant 2.0 platform is capable of finding vulnerabilities in virtually any language, any platform, and any application framework. The product integrates both dynamic and static analysis techniques to provide more comprehensive analysis far more cost-effectively than any other approach. The false alarm rate from ASC 2.0 is virtually zero.  Our platform not only identifies the most critical vulnerabilities in your application, but applies Business Intelligence to characterize the actual risk to your enterprise. ASC 2.0 provides reporting in Word, PDF, Excel, Phone, and F2F (face-to-face) formats. The knowledgebase built into ASC 2.0 is the most comprehensive ever assembled, and has a learn mode to adapt to your enterprise faster and more accurately than any other product. ASC 2.0 has advanced features that allow painless integration with developers, managers, architects, and executives.




2. Environment

The Aspect ASC 2.0 environment includes only a Windows PC, a default installation of Eclipse, and a small team of experienced application security experts.




3. Configuration and Annotations

The ASC 2.0 platform was able to start analyzing the test applications immediately upon receipt and required no configuration. The ASC 2.0 platform does not require that the application compile. The ASC 2.0 platform does not require annotations of any kind.




4. Methodology

Aspect performed a time-limited static code analysis of the three applications, looking for the most serious risks at both the implementation and design levels. Though our analysis generally takes advantage of information from penetration testing, our efforts as part of this exposition were restricted to code review only.

As on organizing principle, ASC 2.0 focuses on each of the major categories of security controls and verifies that the proper controls are 1) present, 2) correctly designed and implemented, and 3) invoked properly throughout the application. Each finding includes this category, a description of the risk, and a brief recommendation. For this exposition, we have kept the findings quite terse given the expert audience. Typically our findings include considerably more detail and links to further information.




5. Findings

An important difference in Aspect's findings is that when we find multiple vulnerabilities with the same root cause, we combine them into a single finding that clearly indicates exactly what the problem is and what needs to be fixed. Therefore, a single XSS finding in our reports may indicate an underlying problem that is responsible for dozens or hundreds of exploitable vulnerabilities. 




6. Contact

For more information about Aspect's SATE participation, please contact...

Jeff Williams, CEO
Aspect Security, Inc.
jeff.williams@aspectsecurity.com
410-707-1487 (direct)
301-604-4882 (main)

