CodeSonar® is GrammaTech’s whole program static analysis tool, as such, CodeSonar® examines the entire application’s logic by employing a unified dataflow and symbolic execution analysis. The static analysis engine detects threats three to five times more efficiently when compared to similar tools. Additionally, CodeSonar® integrates with enterprises’ existing development processes at any time with ease. In his own words, Teitelbaum places GrammaTech as a guardian angel for software integrity, as a company “that helps enterprises solve the most challenging cybersecurity issues of today, and tomorrow through static application security testing and code analysis.”
GrammaTech states that CodeSonar®’s uniqueness is its capability to analyze both source codes and binary code. To highlight, binary code analysis is applicable to software for which source code is not available, such as applications or libraries from third parties. For these cases, CodeSonar®’s groundbreaking binary code static analysis technology finds bugs and vulnerabilities in binary executables to ensure a holistic evaluation.
In order to enhance the reliability of GrammaTech’s platform even further, the company is working with the Department of Homeland Security (DHS) Science and Technology Directorate, and conducting cutting-edge research under the Static Analysis Modernization Program (STAMP). “The DHS was asking us for innovative ideas that would add value to the static analysis field,” says Teitelbaum. In three years, GrammaTech put forward ideas with game-changing capabilities, chief among them being the use of machine learning to inspect large code bases in the open source community to automatically learn how users use certain APIs. As Teitelbaum points out, this can mitigate shortcomings associated with manual, legacy methods, which are being used to figure out the rules to be enforced for APIs. Automating the rule creating processes using machine learning, ensures far more checks for program errors, at considerably lower cost. “We learn rules from thousands of open source programs and integrate them with CodeSonar® and other open source analyzers, so that open source communities can also receive the benefits of our research,” adds Teitelbaum.
To help enterprises solve the most challenging software issues of today and tomorrow such as failures and cyber attacks, we focus on static application security testing or static code analysis
Coupled with the evolution of a rich ecosystem of static analysis tools including GrammaTech’s own, customers get the benefits of tool interoperability through the use of open standards. Under STAMP, the firm is working on those standards, in the Static Analysis Results Interchange Format (SARIF), as a steering committee member along with Microsoft. “We help in enabling various open source tools to export their results into SARIF and import results from other tools into our CodeSonar®, through SARIF,” quotes Teitelbaum.
GrammaTech’s edge in the industry is evident from the results of the DARPA Cyber Grand Challenge 2016, where 120 organizations had competed to find errors in binary codes and repair or secure them. The firm secured second position, which inspired GrammaTech to establish their footprints in dynamic analysis. This helped the company power forward, to further enhance its static analysis capabilities by developing technology can find and repair vulnerabilities in binary code. “In short, we are advancing the technology to eliminate vulnerabilities before they can even harm the system,” concludes Teitelbaum.