By Dan Cornell
We recently announced the SBIR Phase 1 contract we won with the Department of Homeland Security (DHS) to do research into Hybrid Analysis Mapping (HAM). This research is investigating better ways to integrate the results of static and dynamic security scanning tools and we are in the process of integrating this research into the ThreadFix open source application vulnerability management platform. We spoke with a number of folks in the press who provided an expanded view of what we are working on and I wanted to highlight some of that coverage here.
Chris Preimesberger from eWeek wrote an article titled "Homeland Security Awards Grant for ThreadFix Development" where he talks about the various capabilities provided by ThreadFix, how software security impacts critical US infrastructure, and how the work we are doing helps to accelerate the software vulnerability remediation process. [One minor note - the work we are doing with DHS isn't technically a "grant." Rather, it is a contract to do research under their Small Business Innovation Research (SBIR) program.]
Also, James A. Denman from SearchSoftwareQuality.com wrote an article titled "Security Test Researcher Funded by US Department of Homeland Security" where he looks at the challenges associated with Hybrid Analysis Mapping (HAM) as well as the difficulties organizations face when trying to actually resolve identified vulnerabilities.
It is good to see both the press and industry taking a greater interest in an organization's need to fix the vulnerabilities that various scanning tools are identifying in their software and we're thrilled to be helping move the state of the industry forward.
dan _at_ denimgroup.com