Security – Canvass Labs

Open Source Software Security and Management

Do you know which Open Source components exist in your source code?

Security Tool

Canvass for Security is a scalable solution for finding OSS vulnerabilities in both your source code and its software dependencies.

Overview

Large organizations have legacy software systems with dependent software libraries. Tracking these dependencies and identifying newly discovered vulnerabilities in legacy systems is technically challenging and costly. Canvass for Security addresses these issues by providing a service to scan source code files. The service catalogues and combines the legacy and third-party software information with its corresponding vulnerability information. It then provides three levels of scanning to find the dependency software and known vulnerabilities. This approach is scalable due to the parallelization nature of data. Our service provides explainable results to the end user to help understand what the tool has found.

Our Approach

Canvass for Security shows what parts of a software developer’s code are vulnerable allowing the developer to quickly repair or replace the vulnerabilities. Our tool addresses the challenges of dependency tracking, applying patches and version mapping. Subscribing to Canvass Labs’ services allows developers to stay updated about the latest vulnerabilities and their corresponding software packages and versions. In the following subsections, we describe how we link software versions with their specific vulnerabilities, find dependencies for customer’s software, and scan it to match known vulnerable software.

How It Works

A. Linking known vulnerabilities with their origins

The vulnerability information in the National Vulnerability Database (NVD) and security forums often lack exact URLs of software products or information on how programmers refer to them in the dependency management systems. Programmers and security officers have to manually match the names and version information of dependent software and their vulnerability. To build automatic vulnerability scanning services, we need to collect and combine information from separate independent sources. Our system utilizes keyword matching and natural language processing techniques to hone in and match against each database.

To scale up to billions of records, our system utilizes big data (MongoDB) and search engine (Apache Solr) technologies for storing and indexing data. The system processes each software package independently, which is optimal for parallelization.

B. Dependency level scanning

Canvass for Security utilizes NVD to identify vulnerabilities in your third-party developed software components.

C. File level scanning

Canvass for Security provides a file-level scanning service that detects source code files that were copied from third-party projects.

D. Function level scanning

Canvass for Security employs layers of abstraction to extract software signatures, identifying code that has been copied from third-party projects and subsequently tweaked.