PrintPrint

Awards

Topic Information Award/Contract Number Proposal Information Company Performance
Period
Award/Contract
Value
Abstract

H-SB013.1-002
Hybrid Analysis Mapping (HAM)

HSHQDC-16-C-00088 HSHQDC-13-R-00009-H-SB013.1-002-0003-CRPP
(HSHQDC-13-R-00009 CRPP)
SBIR Proposal - Hybrid Analysis Mapping (HAM) -- Phase 2 CRPP

Denim Group, Ltd
1354 N Loop 1604 E
Suite 110
San Antonio, TX 78232-2992

09/01/2016
to
05/31/2017
$199,795.15

During the course of our Phase 1 and Phase 2 SBIR contracts, Denim Group has developed a Hybrid Analysis Mapping (HAM) technology. At its core, this technology allows software assurance teams to correlate and merge the results of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) into a single unified view into the security state of an application. This technology has been included in Denim Group's ThreadFix application vulnerability management platform. In addition, the HAM technology has also been extended to provide additional capabilities such as: Calculating application attack surface and pre-seeding DAST scans with this attack surface to reduce false negative results from DAST scanning. Mapping DAST results to specific entry-point lines of source code in developer Integrated Developer Environments (IDEs) to reduce the time and level of effort required to remediate application vulnerabilities. Another trend that impacts the adoption and commercialization of HAM technology is that as software development teams move from Waterfall to Agile to DevOps development methodologies, they are also challenged with incorporating Software Assurance DAST and SAST testing into Continuous Integration/Continuous Delivery (CI/CD) pipelines to allow for security to be integrated into software development efforts with a minimum of impact on development teams. HAM technology is potentially very valuable to software development teams looking to quickly integrate application security testing in to CI/CD pipelines because it provides a consolidated view of weaknesses and vulnerabilities that is more efficient to consume and address.

H-SB013.1-002
Hybrid Analysis Mapping (HAM)

HSHQDC-13-C-00038 HSHQDC-13-R-00009-H-SB013.1-002-0003-I
(HSHQDC-13-R-00009 Phase I)
SBIR Proposal - Hybrid Analysis Mapping (HAM)

Denim Group, Ltd
3463 Magic Drive, Suite 315
San Antonio, TX 78229-2992

05/01/2013
to
10/31/2013
$99,953.01

Determine the feasibility of developing a system that can reliably and efficiently correlate and merge the results of open-source and commercial automated static and dynamic security scanning technologies, by creating common data structure standards for both automated static and dynamic security scanning results; research and prototype methods of matching the results of automated static and dynamic tools. The goal of Phase I will be to deliver a working prototype that can correlate and merge the results of open-source and commercial automated static and dynamic security scans of web applications. Initial commercialization plans for the results of this research involve integrating it with Denim Group's existing ThreadFix product: a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and integrate with software defect tracking systems. It is commercialized using a common and tested "open source" business model where the base technology is made available for free under an open source software license. This will increase the adoption of the technology by allowing any organization access to the software without requiring licensing fees. However, organizations that require commercial support for their customized use of the technology can purchase support contracts. In addition, organizations that wish to customize or extend the functionality of the technology will be required to pay for access to these services. Future plans are to make the technology available under a cloud "software as a service" (SaaS) model removing the requirements of configuring, installing and maintaining their own systems.

H-SB013.1-002
Hybrid Analysis Mapping (HAM)

D14PC00071 HSHQDC-13-R-00009-H-SB013.1-002-0003-II
(HSHQDC-13-R-00009 Phase II)
SBIR Proposal - Hybrid Analysis Mapping (HAM) -- Phase 2

Denim Group, Ltd
3463 Magic Drive, Suite 315
San Antonio, TX 78229-2992

05/23/2014
to
07/06/2016
$749,860.22

Develop a system that can reliably and efficiently correlate and merge the results of open-source and commercial automated static and dynamic security scanning technologies, using common data structure standards for both automated static and dynamic security scanning results; building methods of matching the results of automated static and dynamic tools. The goal of Phase II will be to deliver a fully functional product that can correlate and merge the results of four (4) open-source and commercial automated static and four (4) dynamic security scans of web applications. Commercialization plans involve integrating Hybrid Analysis Mapping with Denim Group's existing ThreadFix product: a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and integrate with software defect tracking systems. It is currently commercialized using a common and tested "open source" business model where the base technology is made available for free under an open source software license. This will increase the adoption of the technology by allowing any organization access to the software without requiring licensing fees. However, organizations that require commercial support for their customized use of the technology can purchase support contracts. In addition, organizations that wish to customize or extend the functionality of the technology will be required to pay for access to these services. Phase 2 plans include making the technology available under a cloud "software as a service" (SaaS) model removing the requirements of configuring, installing and maintaining their own systems.