Mixeway Vuln Auditor is using the context of a given application (where it is run, who is using it etc.) to properly put a grade of a detected security vulnerability (mark it as important to fix, or not relevant). Such information could improve the process of decision making inside of CICD.

Security Quality Gateway for CICD

Continuous Integration can be seen present almost in every IT project nowadays. It is really easy to implement using e.g. GitHub actions, Gitlab-CI, TravisCI, CircleCI, or any other tool available.

CICD process including security checkups

On the other hand, implementation of the fully-automated Continuous Deployment process is not so straight forward as CI is. To do so, the test suite for particular code change has to be performed as completely as it is possible which means each type of test should pass (Unit testing, UI tests, regression testing, E2E testing, and so on) including security tests (https://mixeway.io/category/securecodedevelopment/). You wouldn’t deploy a change if the application won’t work properly, don’t You? Applications with known security vulnerabilities shouldn’t be deployed as well.

But how to measure and decide if the change is secure enough to be deployed? It can be done in a number of ways. Many organizations are basing on the severity taken from security vulnerability scanners and defines the threshold for the number of high or critical vulnerabilities detected in a particular version of the software. This way is easy to be introduced and but have also its disadvantages. The easiest example to show is vulnerability detected by almost each vulnerability scanner – “Untrusted SSL Certificate” which detected in application dedicated for organization customers should be treated with more care then the same vulnerability detected in the internal system (available only for organization employees). Such a distinction is not possible to be done using severity base security gateway.

Software Vulnerability Classification

After a few months of analysis and gathering of data we are releasing Mixeway Vuln Auditor which is the implementation of Neural Network. This application is using the context of a given application (where it is run, who is using etc.) to properly put a grade of detected vulnerability (mark it as important to fix, or not relevant). Such analyzed Software Vulnerabilities which were detected by automated tools (like vulnerability scanners) can be used to precisely define the security level of the implemented change.

For more than 12 months we were gathering vulnerabilities from MNO who are actively using Mixeway for Security Orchestration purposes. Almost 60000 software vulnerabilities from SAST, DAST, OpenSource, and Network vulnerability scanners. Each detected vulnerability was analyzed by an IT Security Professional and marked as CRV (Confirmed, Relevant Vulnerability) or DNRV (Detected but Not Relevant Vulnerability). Preprocessed and prepared data-set was used to train prepared Neural Network.

Software Vulnerability distribution per scanner type and analysis
Process of Neural Network training and validation

Classification which is implemented in MixewayVulnAuditor (RNN with LSTM memory) is obtaining impressive results of approximate 98% precision and accuracy.

Recall and Precision metrics of introduced classifier (for multiple types of Neural Network)

At this stage, the presented solution should be treated as Proof of Concept. Vulnerabilities gathered from more sources (different types of applications should be considered – industries like banking or insurance) would be helpful to avoid overfitting.

Code and image of Vuln auditor are available at https://github.com/Mixeway/MixewayVulnAuditor and https://hub.docker.com/r/mixeway/vulnauditor

Instructions how to integrate Vuln Auditor with Mixeway and how to make use of it in a real-life will be put in the tutorial area of Mixeway.io (https://mixeway.io/category/tutorial/)


Comments are closed