ARTICLES

A Software Security Platform with Good Roots

I’d like to take you back for a moment to the mid-70’s, a time when Washington was recovering from Watergate, while the rest of us were discovering something new called computing. During this period, we all caught our first glimpse of the Internet, Ethernet, PCs, operating systems, software applications, and on and on. It was an exhilarating time in the computer sciences, and you could sense that something big was being crafted.

Amidst this innovation stood the iconic Computer Science Department at Cornell. With luminaries like Gries, Hopcroft, Conway, Constable, and more – that group served at the forefront of many amazing contributions, especially in software. I was fortunate to see this first-hand, with my Dad spending a sabbatical year in Ithaca studying programming languages. (My grade school diploma reads Cayuga Heights.)

Just around that time, a young Cornell faculty member named Tim Teitelbaum started work in the area of integrated programming environments (IDEs). With Thomas Reps, Teitelbaum produced what became known as the Cornell Program Synthesizer. Soon, the tool was being used across the university for instruction in programming – which then involved PL/1 on a Terak microcomputer. Nearly a hundred other schools soon followed suit.

This early work helping students develop better software prompted Teitelbaum to create a start-up in the late 80’s called GrammaTech. The company has since focused on high-quality tools to assist software developers in the creation of correct, secure code. It is this focus on software security that prompted a technical discussion last week between TAG Cyber and the GrammaTech team. Below is what I learned:

“For over thirty years, we’ve used compositional analysis and static application testing to improve the security and quality of software,” said Andrew Meyer, Chief Marketing Officer for the firm. “Our platform helps customers improve software they might be developing internally or obtaining externally.” Meyer explained that the GrammaTech commercial offering includes the following component products:

CodeSonar – This GrammaTech tool supports static application security testing (SAST) through deep symbolic execution analysis that follows the computation paths of an application. CodeSonar builds an abstract model of the code to support advanced reasoning about execution paths. Practical heuristics are employed to deal with the inevitable combinatorial explosion of possible traces to analyze.

“CodeSonar supports software development teams through integration with tools such Jenkins, GitLab, docker, Jira, and GitHub,” explained Meyer. “Our tool highlights common programming errors such as data races, deadlock, thread starvation, buffer overflow, data leaks, null pointer dereferences, divide by zero, unreachable code, misuse of memory, and runtime errors. These are the types of vulnerabilities hackers exploit.”

CodeSentry – This GrammaTech tool supports binary software compositional analysis (SCA) which involves processing binary code without the need for the corresponding source code. The technique is especially useful for third-party software, which includes open source code, commercial off-the-shelf products, and directly contracted new systems. In each case, the analysis provides visibility into exploitable vulnerabilities.

“The capabilities our customers most frequently demand involve detecting vulnerabilities from binaries, as well as creation of a so-called software bill of materials (SBOM) to help define the legacy for open source, second party, third party software,” Meyer said. “We also see requests for transitive closure of any discovered dependencies in the code, and deep semantic matching as part of the software analysis.”

From a TAG Cyber analyst perspective, this suite of tools looks absolutely first-rate. It includes modern DevOps-consistent features with an unequaled foundational base derived from world-class research. (It is worth noting that GrammaTech includes a research team supporting government programs.) The development of an SBOM, in particular, is an especially valuable contribution to enterprise security and software development teams.

Obviously, there will be challenges as GrammaTech continues to expand its commercial reach. Many new buyers might not, for example, recognize the deep foundational roots of the tool, and could easily mistake this fine offering with inferior ones based on weaker analysis methods. The traffic jam of application security products will also make it tough for GrammaTech to distinguish themselves. I hope they find a way – because this is truly a fine suite.

Analysts must remain unbiased, but I must admit to being particularly thrilled to see Teitelbaum’s original ideas from Cornell driving a modern DevOps security solution. While listening to Meyer speak, my mind kept going back to thoughts of my youth, wandering Upson Hall and tagging along on trips with my Dad to the homes of John Hopcroft, David Gries, and others. It was like going to visit the homes of Einstein, Heisenberg, and Curie.

I hope you’ll contact GrammaTech. Let me know what you think.