Software Engineering Institute

The scale and complexity of mass production software has made manual testing for security related vulnerabilities effectively impossible. Automated security testing tools are required to rapidly assess the security issues in software.  In our study, we ran ten popular SAST tools against 8 large (7.7 MLOC total) mature open source projects. The tools found 685K total defects. Less than 1% of the defects were common between two or more tools. To determine commonality, the defect results were normalized based upon the consistent and accurate application of MITRE defect definitions. It was found that 61% of defect rules were either mis-characterized or mis-aligned. Using mathematical analysis of code properties that causes false positives by defect rules, it was also found that 61% of  Java and JavaScript defects had high validity confidence, whereas only 21% of C/C++ findings were high confidence.  Detailed analysis of attack patterns showed that only 5.5% of the found defects were easy to exploit. By using a novel probabilistic approach to determine severity of consequence, it was discovered that only 6.5% of the defects were highly severe.

Dr. Chris Near has pursued research and development in the mathematical analysis of software for over 3 decades. He is the inventor of the set of capabilities that are the foundation of CyberSagacity Ltd. He is also the inventor, architect, and designer of SATriage, the company's flagship Vulnerability Management Tool. He was recently granted a patent describing the means to expand the defect identification capability of all current SASTs - increasing capabilities by 200 - 300%.

In his role as Chief Technical Officer, Chris converts research discoveries, leveraging disruptive technologies into new business models for new classes of marketable products. He is responsible for both technical innovation and business vision for the company including near and long-term strategies. Through various collaborations, Chris has built a team and network within the academic, business and government communities that helps to shape and refine the vision for SATriage and next generation software assurance capabilities.

Prior to Spectare Systems, Chris was a telecommunications consultant in charge of end-to-end network build and test for over 250 Fortune 500 companies and 49 international telecom carriers. He started his career as Distinguished Member of Technical Staff at AT&T Bell Laboratories.

Dr. Near holds a PhD in Electrical Engineering from Cornell University.

Watch the video on YouTube.