Several years ago, I had a conversation with Mary Ann Davidson, the CSO at Oracle, about code review. At the time - well before the current state of the practice - she bemoaned the fact that they have to go through thousands of lines of code per day looking for security flaws and it was an extremely tedious task. Now, there is a company that has taken a unique approach to solving the code review problem and it is one of our two runners-up in the Throwdown.
Hatha Systems' Knowledge Refinery is not just another code review product, though. The core mission of the product is to extract an impact analysis from the source code that can tell the analyst what the consequences of a particular flaw are likely to be. It does this by extracting knowledge of the environment in which the application runs so that in- and outbound data flows can be examined and the impact of security gaps assessed.
One of the techniques that the product uses to make complicated interactions clear is graphical mapping. Once it has parsed and analyzed the target source code, the tool creates a map of the interactions and interdependencies. This map, referred to as a call map, makes relationships clear and unambiguous. It can show function calls made or the targets of the calls. Once the map is complete, the user can use color coding to identify flaws and their consequences. The product can examine metadata and draw conclusions about versioning as well, highlighting older versions of application modules that may inadvertently have been mixed into a newer version of the application under analysis.
From a security perspective - just one of the areas that Knowledge Refinery addresses - it is important to understand the security elements, pathways and weaknesses in an application's source code. For this reason, among others, the product restricts its analysis to source code, performing a static analysis to learn everything about the code, including its functionality and the security inherent - or not - in the target application. Focusing on identifying impact allows management of risk in an informed environment. Simply knowing the flaws in a piece of source code is not enough.
International standards-based, Knowledge Refinery can analyze COBOL, C and Java sources. It is modular, making it easy to configure and it keeps its data in an Oracle backend database for large projects or in XMI format for smaller endeavors.
The idea behind Knowledge Refinery is that, like refining crude oil into gasoline, source code can be refined to give the information wanted as you analyze code for faults. It lets users get what they want, when they want it.
By some standards, this product may seem a bit pricey, but it is the real deal. This is source code analysis - far more than simple review - at its best and most detailed. This is a full-blown analysis environment. The protection a developer gets from upstream disaster just by analyzing impacts is more than worth the price of admission. Installation and support are included in the price, and custom analysis, system integration and training are available at extra cost.
As we spoke with the Hatha folks, we could not avoid recognizing the seriousness of their commitment. These are people who believe that it is possible to produce clean code. In an age when it is not uncommon for the consumer to be the beta tester, the notion of clean code is a sort of Holy Grail.
Much has been said about the ultimate solution to cybersecurity vulnerabilities: Write clean code. However, writing and delivering clean code requires testing and analysis, something that many companies do not seem to have time for. Knowledge Refinery makes it possible to analyze sources, assess impacts and determine the likely upstream risk associated with those impacts. We think that those are good things and apparently so did the judges at the Throwdown because Hatha Systems was chosen as one of the runners-up.
If you are writing lots of code - and especially if your code has security implications - you need to have a look at Knowledge Refinery. It beats any similar tool we've seen so far.