Mixeway Vuln Auditor is using the context of a given application (where it is run, who is using it etc.) to properly put a grade of a detected security vulnerability (mark it as important to fix, or not relevant). Such information could improve the process of decision making inside of CICD.
Security Quality Gateway for CICD
Continuous Integration can be seen present almost in every IT project nowadays. It is really easy to implement using e.g. GitHub actions, Gitlab-CI, TravisCI, CircleCI, or any other tool available.
On the other hand, implementation of the fully-automated Continuous Deployment process is not so straight forward as CI is. To do so, the test suite for particular code change has to be performed as completely as it is possible which means each type of test should pass (Unit testing, UI tests, regression testing, E2E testing, and so on) including security tests (https://mixeway.io/category/securecodedevelopment/). You wouldn’t deploy a change if the application won’t work properly, don’t You? Applications with known security vulnerabilities shouldn’t be deployed as well.
But how to measure and decide if the change is secure enough to be deployed? It can be done in a number of ways. Many organizations are basing on the severity taken from security vulnerability scanners and defines the threshold for the number of high or critical vulnerabilities detected in a particular version of the software. This way is easy to be introduced and but have also its disadvantages. The easiest example to show is vulnerability detected by almost each vulnerability scanner – “Untrusted SSL Certificate” which detected in application dedicated for organization customers should be treated with more care then the same vulnerability detected in the internal system (available only for organization employees). Such a distinction is not possible to be done using severity base security gateway.
Software Vulnerability Classification
After a few months of analysis and gathering of data we are releasing Mixeway Vuln Auditor which is the implementation of Neural Network. This application is using the context of a given application (where it is run, who is using etc.) to properly put a grade of detected vulnerability (mark it as important to fix, or not relevant). Such analyzed Software Vulnerabilities which were detected by automated tools (like vulnerability scanners) can be used to precisely define the security level of the implemented change.
For more than 12 months we were gathering vulnerabilities from MNO who are actively using Mixeway for Security Orchestration purposes. Almost 60000 software vulnerabilities from SAST, DAST, OpenSource, and Network vulnerability scanners. Each detected vulnerability was analyzed by an IT Security Professional and marked as CRV (Confirmed, Relevant Vulnerability) or DNRV (Detected but Not Relevant Vulnerability). Preprocessed and prepared data-set was used to train prepared Neural Network.
Classification which is implemented in MixewayVulnAuditor (RNN with LSTM memory) is obtaining impressive results of approximate 98% precision and accuracy.
At this stage, the presented solution should be treated as Proof of Concept. Vulnerabilities gathered from more sources (different types of applications should be considered – industries like banking or insurance) would be helpful to avoid overfitting.
Code and image of Vuln auditor are available at https://github.com/Mixeway/MixewayVulnAuditor and https://hub.docker.com/r/mixeway/vulnauditor
Instructions how to integrate Vuln Auditor with Mixeway and how to make use of it in a real-life will be put in the tutorial area of Mixeway.io (https://mixeway.io/category/tutorial/)
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.
Comments are closed