SAP has released the source code for Vulnerability Assessment Tool, a software composition analysis (SCA) tool that was tested internally for two years with 20,000 scans on more than 600 projects.
The Vulnerability Assessment Tool focuses specifically on the detection of vulnerable components as it is stated in OWASP-Top 10 2017 A9. The tool scans software packages for direct and transitive dependencies and then compares each dependency to known sources, like the National Vulnerability Database or CVE list, to determine if known vulnerabilities or exploits exist for each package. During development, this knowledge can inform developers on when they should upgrade certain components. During operations, when a new vulnerability is discovered, this information can be used to locate which applications require action.
SCA has become critical to the software industry following the breach of Equifax in 2017 after failure to patch Apache Struts CVE-2017-9805. In total this breach lost over 143 million records with total cost expected to exceed $600 million. The Apache Software Foundation previously published "Apache Struts Statement on Equifax Security Breach" featuring recommendations regarding problems that SAP’s Vulnerability Assessment Tool seeks to address, such as:
- Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.
- Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
SAP’s new tool goes beyond basic file listing, performing a level of static code application security testing (SAST) to evaluate usage of each component. This is designed to minimize false positives where a vulnerable component may be present but not actually used. An example of this would be where a tool flagged the JRE itself as vulnerable to an applet vulnerability like CVE-2016-0636, but the JRE is used in a server-side context where applets are never engaged.
Static code analysis is performed by many organizations as a security measure to detect code-level vulnerabilities before release. Specifically, code reviews are mentioned in the PCI Secure Software Standard section 8.4.b and NIST 800-53 section SA-4 along with other detection mechanisms that analyze the code’s artifacts, like binary analysis. Another option is to continuously monitor application behavior through Integrated Application Security Testing (IAST).
The project documentation explains several limitations that pertain to the field of static analysis for security testing. Specifically it mentions missing support for non-static information, such as Java 9 multi-release JAR files. This Java features provides multiple class files with the same name-space, with the JRE selecting the appropriate class at and behavior at runtime. In a static context, the information about this decision is missing without the runtime, so the analyzer must either choose all paths or default to the primary class location. The SAP tool makes the latter decision and offers an IAST-like dynamic instrumentation for Java to address this deficiency of static security analysis and detect which files are used.
The SAP Vulnerability Assessment Tool was released on GitHub and is maintained by Henrik Plate, Serena E. Pontona, Antonio Sabetta, Cédric Dangremont, and Alessandro Pezzé.