Contextual Security Analysis - The next step for AppSec

Our current primary industry standard for detecting security issues in a software application is the use of either a DAST or SAST security tool which is then typically intertwined into the development pipeline. The hope being, as software changes, this data point helps us prevent some classes of vulnerabilities. The higher the risk associated with this data point, the more likely we are to intervene. As practitioners we accept that this singular data point has wildly varying levels of accuracy and we also accept that it will only find a subset of the vulnerability classes. Furthermore, we often rely upon this inaccurate signal and acknowledge that anything else is going to be caught by an attacker, a researcher or, our own appsec team. Ideally, not in that order.

Some organizations have beefed up their approach and have begun using a second data point which is typically a dependency style scan tool. The bleeding edge appsec teams have begun also incorporating docker image CVE results as well as their own custom rules for their scanner tool. The fact remains though that these data points are not enough and that we have so much more available to us that can help us truly assess the risk that software changes introduce into our applications.

During an almost six year tenure at GitHub, it became crystal clear not just how much data is available to defenders but also just how little of it is actually used to prevent vulnerabilities from being introduced on a daily basis and finally, what those reliable signals are. If we know that scan tools have such huge limitations, why is the primary and sometimes only data point we rely on?

Enter Contextual Security Analysis (CSA) which utilizes a S.L.I.D.E. methodology and incorporates many data points to contextualize code changes and ultimately detect risk. CSA synthesizes many markers and bits of information to produce contextually relevant risk scores.

Join us to learn how you can leverage CSA in your organization!