ShiftLeft, an innovator in automated application security, announced enhancements to its Ocular solution that empower organizations to discover business logic flaws during application development 10 times faster than manual code reviews.
Updates to Ocular include support for four new programming languages, C#, C, C++ and Scala, which improve development efforts with coverage for the top cloud, Internet of Things (IoT) and embedded applications.
The updates also include blazing fast automated security regression testing in CI/CD, which ensures previously fixed business logic flaws are never reintroduced. Ocular can analyze two million lines of code in under eight minutes, which is 40 times faster than typical code analysis tools.
With Ocular, a Fortune 500 customer is able to find vulnerabilities 10 times faster than manual code reviews.
In less than the time it took to typically find one vulnerability, the company quickly found eight zero-day vulnerabilities in its custom code and open source libraries, including an insecure direct object reference, which would allow attackers to manipulate direct object references by merely changing the predictable sequence in order to access other objects without authorization.
The pace and complexity of modern applications has grown beyond human scale. Even the best security reviewers cannot comprehend the logic of tens or hundreds of thousands of lines of code to find flaws.
Yet, to date, the only way for organizations to detect business logic flaws in development is through manual code reviews, which are error prone and take weeks to complete. The result is the majority of releases have little or no checks for business logic flaws and the overwhelming majority go unnoticed in development.
Unlike technical vulnerabilities — such as SQL injection, cross-site scripting and deserialization — business logic flaws often require little or no technical expertise to exploit. For example, in the recent First American Financial Corp. data breach, a control flow reachability business logic flaw was exploited by simply changing values in a URL.
Matias Blanco, manager of application security at Okta, said of Ocular: “Millions of daily users rely on the Okta Identity Cloud to access the technologies they need. For an agile software development team, every minute is valuable, and the time spent on in-depth code audits can be especially challenging.
“ShiftLeft Ocular promises to turn weeks into hours when it comes to code security reviews.”
Ocular is an interactive shell to query ShiftLeft’s Code Property Graph (CPG). The CPG is a graph of graphs that connects the functions of source code together into a fabric of information flows that can be traversed from source to sink.
With Ocular, security researchers, code auditors and developers can iteratively interrogate the validity of business logic flows to identify flaws and demonstrate reachability. Ocular queries can then be automated as security policy checks and regression testing through CI/CD pipelines.
“Business logic flaws are inherently unique to each organization, which makes them incredibly difficult to identify and fix,” said Manish Gupta, CEO of ShiftLeft.
“Through our updates to Ocular, we’re making it easier for developers and application security teams to automatically find flaws in their software not covered by traditional static application testing tools.
“However, we also know fixing vulnerabilities before they make it to production isn’t always possible for every release. Since we know exactly how applications are vulnerable, we can also automatically generate a custom security profile to protect applications in production and buy security and development teams more time to fix their vulnerabilities.”