Correlation

AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.

Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses. Correlation allows us to leverage the strengths of each technology, while overcoming its weaknesses with the advantages of the others.

Correlation enhances your AST capabilities, improves your prioritization process, and reduces remediation time and effort.
  • Enrich DAST issues with IAST and SAST details.
  • Prioritize your SAST findings using the accuracy of your IAST and DAST results.
  • Validate SAST fixes from the status updates of your IAST and DAST issues.
  • Reduce the number of vulnerabilities and remediation tasks by grouping issues together.
Note:

Once you have an IAST subscription, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing correlation groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

How it works

Correlation is based on IAST. IAST has access to the application at runtime (like DAST) and is able to see the source code (like SAST). Our automatic correlation algorithm matches IAST issues with DAST and SAST issues. It extracts data from each issue and then uses a variety of heuristics to identify correlations. This brings optimization of the remediation process to a new level. Adding IAST and correlation to your arsenal can reduce the overall number of issues and/or vulnerabilities to be addressed.

Using correlation

To use correlation, you need to have an active IAST session. ASoC automatically creates correlation groups and shows them in the Correlation group tab under All Issues. ASoC continually updates and creates new groups as new issues are added to the application.
Note: Correlation can be applied only to results from DAST and SAST scans that were completed after IAST was added to your application. To apply correlation to scans run previously, rescan. The issues found on rescan will be added to the correlation groups as relevant.

Once you have an IAST subscription, correlation is updated automatically whenever any relevant IAST, DAST or SAST issues are found. Existing correlation groups are automatically updated with the new issues, and new groups are created as necessary. No user action is needed.

Examples

Dashboard

When correlation is identified, it's indicated on the Issues chart in the dashboard of an application.

Correlation groups page

Click on the Correlation groups link to open the Correlation page for the application, listing the correlation groups it contains.

Issues in a group

Click on a group to see its issues.

Issue details

The Issue pane for a specific issue indicates when it belongs to a correlation and/or fix group in the Related section:

Leveraging correlation

Code reuse is a best practice in software development, but a single weak link can create multiple security vulnerabilities in an application. The diagram below illustrates how a weak sanitizer could cause multiple SQL Injection vulnerabilities. Since REST API 1 has a different route/source to RESP API 2, their vulnerabilities would appear unrelated in scan results.

Correlation aggregates vulnerabilities that should be remediated as a single task.

In this example the correlation group includes issues found by different technologies (IAST and DAST), of different issue types, and with different severities. These diverse issues that would not have otherwise been seen as connected can be resolved with a single remediation effort.