Auto Issue Correlation

AppScan analyzes issues found by IAST, DAST and SAST, to identify common weak links in the code - or "correlations" - that spot where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.



There is no single "silver bullet" that can solve the AST challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses. Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming its weaknesses with the advantages of the others.

Auto Issue Correlation will enhance your AST capabilities, improve your prioritization process, and reduce remediation time and effort.
  • Enrich DAST issues with IAST/SAST details.
  • Prioritize your SAST findings using the accuracy of your IAST/DAST results.
  • Validate SAST fixes from the status updates of your IAST/DAST issues.
  • Reduce the number of vulnerabilities and remediation tasks by grouping issues together.

Once Auto Issue Correlation is activated, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

How it works

AppScan's Auto Issue Correlation is based on our IAST solution. IAST has access to the application at runtime (like DAST) and is able to see the source code (like SAST). Our automatic correlation algorithm matches IAST issues with DAST and SAST issues. It extracts data from each issue and then uses a variety of heuristics to identify correlations. This brings optimization of the remediation process to a new level. So adding IAST and Auto Issue Correlation to your arsenal can actually reduce the overall number of issues/vulnerabilities to be addressed.

How to use it

All you need is to have an active IAST session, and to activate Auto Issue Correlation. ASoC will then automatically create correlation groups and show them in the "Correlation group" tab under "All Issues". ASoC will keep updating and creating new groups as new issues are added to the application.
Note: Correlation can be applied only to results from DAST and SAST scans that were completed after IAST was added to your application. To apply correlation to scans run previously, you need to rescan. The issues found will then be added to the correlation groups as relevant.

Examples

Dashboard

When correlation is identified, it's indicated on the Issues chart in the dashboard of an application.

Correlation groups page

Click on the Correlation link to open the Correlation page for the application, listing the correlation groups it contains.

Issues in a group

Click on a group to see its issues.

Issue details

The issue pane for a specific issue indicates when it belongs to a correlation and/or fix group in the "Related" section:

Once Auto Issue Correlation is activated, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

We all know that code reuse is a best practice in software development. However, this also means that a single weak link can create multiple security vulnerabilities in an app. The diagram below illustrates how a weak sanitizer could cause multiple SQL Injection vulnerabilities. Since REST API 1 has a different route/source to RESP API 2, their vulnerabilities would appear unrelated in scan results.



Correlation aggregates together vulnerabilities that should be remediated as a single task.

Note in the example below, that the correlation group includes issues found by different technologies (IAST and DAST), of different issue types, and with different severities.

Thanks to Auto Issue Correlation, diverse issues, which would not have otherwise been seen as connected, can now be resolved with a single remediation effort.