What is JEAS?
Web 3.0 security for enterprise software
The Jaroona Enterprise Application Security (JEAS) solution is a Web 3.0 SAST tool that provides automated vulnerability detection and remediation suggestions. It is a ground breaking technological innovation that deploys ML and deep learning to improve detection speed, accuracy, and code base coverage, including automated API security testing and automated vulnerability remediation suggestions.
Code Analysis Based on Deep Learning Networks Drives
Unrivaled Accuracy, Speed and Scale for Vulnerability
Outperforms all other solutions
The Jaroona Enterprise Application Security (JEAS) solution leverages the power of deep learning networks to automatically learn from millions of vulnerabilities that have been recorded in public databases since 1999. The reported vulnerabilities were found in open source projects as well as enterprise solutions from the world’s leading IT companies. JEAS outperforms all other commercially available solutions in every key metric: false positive rate, false negative rate, accuracy, speed, and scalability.
Continuously Improves Automatically
The core of the solution is a custom framework that uses deep learning to detect software vulnerabilities: the JEAS Vulnerability Framework. The framework represents programming code as vectors that accommodate syntax and semantic information required for vulnerability detection. Semantic context is based on multi-layered representation of each unique code version, depicting control flow graphs, call graphs, program dependency graphs, and directory structures. The framework delivers detailed granular information regarding vulnerability structure, dependences and semantics in each unique program code to the deep neural network for training and detection. The trained deep neural network encodes these vulnerability patterns and can detect whether target programs (that never participated in the training) are vulnerable or not. Continuous unsupervised learning from millions of commits enables JEAS to incorporate knowledge from new vulnerabilities and fixes every day, resulting in a system that is always up to date.
Greatly Reduces False Positives and False Negatives
The diversity, scale and semantics of the vulnerability data used in continuous training, accompanied by deep learning architectures tailored to various kinds of vulnerabilities, enables JEAS to greatly reduce both false positives and false negatives. This results in very high accuracy and precision at unprecedented speed and scale.
Pinpoints Vulnerabilities in Target Code
The unique insights of the JEAS Vulnerability Framework are based on encoded and learned vulnerability patterns combined with a convolutional feature activation map. This enables the system to pin down the exact location of each vulnerability in the target code, highlighting any contributing function or statement with different color intensity based on its importance or contribution rate to each vulnerability.
The JEAS Vulnerability Framework is an extensible and language-agnostic vulnerability detection designed for incremental and distributed code analysis. This flexibility allows us to add support for a new programming language in a matter of weeks.
The New Best-in-Class
Invented by the Jaroona R&D team, the JEAS Framework extends the current state of the art beyond what rule-based vulnerability detection solutions are able to achieve. The system greatly reduces reliance on human experts and provides a scalable, feature-rich, enterprise-grade solution across multiple programming languages. It currently incorporates 121 common weaknesses (as defined by the Common Weakness Enumeration (CWE)) and more types are being added every day.
Tested and Proven
As a measure of the effectiveness of the approach, the JEAS Framework was used to identify critical severity vulnerabilities that the top commercial rule-based SAST solution was unable to detect. The system was tested using target code from:
- The Android framework and other open source projects written in Java
- The QEMU hardware virtualization tool, Linux kernel and other open source projects written in C
- The Rust Standard Libraries
- Multiple other projects written in C++
Currently we support C/C++, Java and RUST with more programming languages in the pipeline.
20 – 25 %
False Positive Rate
The proportion of false-positive samples out of the total number of identified vulnerabilities. The lower the number, the better. A higher number means that developers and security officers will waste more time evaluating non-existent vulnerabilities.
50 – 60 %
False Negative Rate
The proportion of false-negative samples from the total number of identified vulnerabilities. The lower the number, the better. A higher number means that there is a greater chance that important vulnerabilities were not detected.
70 – 75 %
The proportion of correctly classified samples from all detected samples. A higher percentage indicates a more accurate model.
30 – 35 %
The proportion of correctly classified samples from the vulnerable samples. A higher percentage indicates a more precise model.
35 – 40 %
F1 – measure
The overall effectiveness considering both precision and false-negative rate. The higher the number, the more effective the model.
FOR APPSEC AND
Continuously Analyze & Protect Every Software Release Without Slowing the Development Lifecycle
Accurately Find Vulnerabilities in Minutes
A failure to make security a priority has resulted in widespread vulnerabilities, because the level of vigilance and focus necessary to prevent software flaws before they lead to a breach is expensive and time consuming. But even the most vigilant companies cannot prevent every bug, driving the need to constantly test, fix, and learn about a plethora of security issues.
To reverse these trends, organizations must integrate security into development. JEAS is the fastest static application security testing (SAST) product in the industry. It integrates directly into DevOps pipelines via pull request, commit, or build, and it can analyze 1,000,000 lines of code in under 20 minutes. To further accelerate source code analysis by multiple times, the pre-trained detection model can be run on inexpensive commercial GPUs, thanks to the JEAS deep learning powered framework. This enables AppSec teams to incorporate security into fast software development lifecycles without slowing down innovation.
The Jaroona Enterprise Application Security (JEAS) framework is a fundamentally new and more effective way to analyze source code. Leveraging the power of machine learning and deep learning networks, the system is more accurate and produces fewer false positives and false negatives than any other available solution.
Find Zero-Day Vulnerabilities That Have Not Been Publicly
Top commercial source code analysis tools rely on hand-coded rules or publicly reported vulnerabilities. Neither approach can detect zero-day vulnerabilities, which hackers can find and exploit even after all security tests showed no problems. JEAS is the only commercially available SAST product that finds zero-day vulnerabilities thanks to the JEAS Vulnerability Detection Framework’s continuous learning and adaptability to code perturbations, project structure shifts, changed libraries and new techniques.
Automated Vulnerability Identification in APIs
Organizations are moving from traditional monolithic web applications to more modern applications that invoke many server-side APIs or utilize microservices architectures. This results in an explosion of web APIs that interact with these applications.
JEAS API security testing relies on the JEAS framework to automatically find vulnerability patterns in the tested APIs. The JEAS framework embeds code in a vector space, such that the typical patterns of API usage can be determined. These patterns implicitly capture code semantics and allow the system to “extrapolate” from known vulnerabilities to identify potentially vulnerable code with similar characteristics.
Automatic Vulnerability Remediation Suggestions
As development methodologies and DevOps practices become faster and more agile, the pressure on enterprises to quickly remediate vulnerabilities increases. But, remediating vulnerabilities is still a challenge for many organizations since it remains a manual effort that requires time and development resources.
A 2019 Gartner report suggests that by 2022, 10% of coding vulnerabilities identified by static application security testing (SAST) will be remediated automatically using code suggestions applied from automated solutions, up from less than 1% today.
Jaroona JEAS is among the first solutions to use ML algorithms to automatically suggest code fixes for the vulnerabilities identified by JEAS and third party SAST tools. Suggested code fixes are ranked by their relevancy and frequency of use by other developers who fixed similar vulnerabilities.
Integrated with CI/CD
JEAS can be run at several points in your integration and deployment pipeline, depending on your needs: pull request, code commit (Git, BitBucket, etc.), or during the build process. This is made easier by integrations with various code integration and deployment tools.
Manage & Prioritize Vulnerabilities
JEAS provides a powerful dashboard for developers, AppSec staff, and security officers. Users can prioritize vulnerabilities based on severity, allowing responders to triage responses and allocate resources effectively.
Run Independent Security Audits
JEAS can be used by independent code auditors without integration into a software development lifecycle. With unparalled speed & accuracy and the ability to find zero-day vulnerabilities, JEAS can replace manual audits or semi-manual audits relying on rule-based tools. Schedule a demo to learn how you can increase your Code Auditor value and reputation using JEAS.