Build Security into the Software

4Q/2016

Global Business

Company Overview

2

More than

1,250 customers

10+ customers

with 100K users

worldwide

Leaderin enterprise data-

centric security space

Building Security

into the

Data and Software60% with security consulting

or engineering

backgrounds

300employees

Founded in

June, 2000

Installed base of over

2.5Musers

Sparrow Overview

Key Features

Policy

Enforcement

Quick

Fix

Accurate

Analysis

Supporting various

programming

languages and

platforms

Dynamic policy

enforcement

Intelligent issue

clustering

Active

suggestion

Deep semantic

analysis and

supporting web

framework

All-in-One

SAST Solution

Quick Look at Sparrow

• WHISTLE (Analyzer Client)

⚡ Defining target programs and

policies

• SAE (Analysis Engine)

⚡ Analyzing program codes

• NEST (Analysis Management

System)

⚡ Showing details of error type,

path, functions, suggested code

changes and analysis reports

SAE (Sparrow Analysis Engine)

NEST (Analysis Management System)

Sparrow Server

Development Server/Client (w/ Source Code)

WHISTLE (Analyzer Client)

or Eclipse Plugin w/ Analysis Engine

Dynamic Policy Enforcement

• Enforce multiple policies dynamically to different projects,

users/groups and project phases

Deep Semantic Analysis

• Interprocedural analysis

(context and path-sensitive

analysis + symbolic execution)

• False path pruning by

constraint solving

• Semantic analysis (data-flow,

value, pointer, structure, and

class analysis) + abstract

interpretation for dead code

detection

• Syntactic analysis (comment,

pattern-based analysis)

Supporting Web Framework

• Analyzing spring/struts web

application

⚡ Control/dataflow of MVC

(model, view, control)

architecture

⚡ Annotation based configuration

⚡ Dependency injection

⚡ Configuration files

Accurate Analysis

Accurate Analysis (Cont’d)

Common WeaknessSparrow Vendor H

True False True False

HTTP response splitting 1 0

Private Array-Typed Field Returned From A Public Method 1 0

SQL injection 2 3 12

Path Traversal & Resource Injection 4 2

Null deference 74 2 3

Reliance on Untrusted Inputs in a Security Decision 1 0

Improper Check for Unusual or Exceptional Conditions 53 53

Resource Leak 109 19

Open Redirect 3 0

Improper Error Handling 6 6 2

Information Exposure Through an Error Message 57 53

Exposure of Data Element to Wrong Session 4 0

Use of Insufficiently Random Values 2 8

Integer Overflow 1 0

Leftover Debug Code 1 1

Information Exposure Through Comments 0 9 4

Cleartext Storage of Sensitive Information 0 1

Cross-site scripting 3 10

Cross-site Request Forgery 1 0

Hard coded password 2 5 0

Total 325 2 173 18

Tool Time Target program # of File Total LOC Executable LOC

Sparrow 4m 42sWebgoat 191 44,645 27,531

Vendor H 19m 22s

Intelligent Issue Clustering

• Clustering similar issues in groups that will allow organizations to

identify and fix the issues efficiently

Active Suggestion

• Not only identify software vulnerabilities, but also has an ability to

remediate code using automated code suggestions.

Technical Specification

ABAP,

Android,

ASP(.NET),

C/C++,

C#,

HTML,

Java,

JavaScript,

JSP,

Objective-C,

PHP,

SQL,

VB.NET,

VBScript,

XML

Languages

IDEsAndroid Studio,

Code Composer,

CodeWarrior,

Eclipse,

IAR,

IBM RAD,

IntelliJ IDEA,

Keil uVision,

Visual Studio,

Xcode

Platform

Windows, Linux,

Mac OS, AIX,

HP-UX, SunOS

Build

Management

GNU make,

Sun make,

Microsoft nmake,

…

Continuous

Integration

Source Control

Framework

Spring framework,

Struts framework,

Proframe framework

Git,

Microsoft Team Foundation,

Subversion,

Commercial Source Controls

Hudson,

Jenkins,

TeamCity

Timeline and Roadmap

• 2007-2016

⚡ OWASP Benchmark Score: 94%

*The average score of other solutions were 25%.

⚡ ISO26262 Certification

*Qualification of Software Tools for Automotive Industry

⚡ CWE Compatibility

2016 2018

Sparrow

Cloud v1

Sparrow v5

(SAST)

DAST v1 RASP v1

2017

IAST v1

Case Study

Customer in Financial Verticals

• Key fact

⚡ Industry: Financial/Banking

⚡ Revenue: US$22.7B (Assets: $204.3B)

⚡ Headcount: 100K

• Challenge

⚡ Develop and deliver an efficient and effective static application security

testing environment for all business applications developed, maintained

and operated by the Bank’s IT Department.

• Solution

⚡ Enforced secure coding policies set by IT and Security Group to all Dev

environments (approx. 1,450 developers)

⚡ Inspected more than 233 project source code for security and quality

⚡ Added reporting capabilities of security vulnerability and quality issue

related statistical analysis periodically (identified and fixed approx. 1,000

vulnerabilities annually since 2014)

Customer in Financial Verticals (Cont’d)

Source Code

Management Server

Operating

Server

Development

Servers

(233 Projects)

Sparrow

Servers

Developers

(1,450 Seats)

Admin

Transfer secure

source code

Check-in request

Approve/reject

check-in request

based on the secure

coding policy

Define/manage

secure coding policy

Review status of

projects and generate

reports

Request security

assessment results

of source code

Validate the

request

Sends analysis results

and pre-processed data

Managing code

analysis results

*4 active servers

Managing secure

projects

Execute code analysis

Review the analysis results

Fasoo has been successfully building its worldwide reputation as an EDRM (enterprise digital rights management

aka information rights management, IRM) solution provider with industry leading solutions and services. Fasoo

solutions allow organizations to prevent unintended information disclosure or exposure, ensure a secure

information-sharing environment, better manage workflows and simplify secure collaboration internally and

externally. Fasoo Enterprise DRM, a data-centric security solution safeguards and prevents unauthorized use of

digital files and provides persistent and reliable protection of the documents with effective file encryption,

permission control and audit trail technologies. Fasoo has successfully retained its leadership in the EDRM

market by deploying solutions for more than 1,250 organizations in enterprise-wide level, securing more than 2.5

million users. Fasoo also has foresight to plan for future expansion through new business models including static

code analysis/SAST (Sparrow), content-centric data lifecycle management solutions (Wrapsody) and intelligent

lifelog solutions (DigitalPage).

North America Headquarters

197 State Route 18 South, East Brunswick, NJ 08817, USA

Global Headquarters

396 World Cup buk-ro, Mapo-gu, Seoul 121-795, Korea

Web: www.fasoo.com

Email: inquiry@fasoo.com

Phone: (732) 955-2333 (NA HQ) | +82-2-300-9000 (Global HQ)