Why CyberSagacity?

Our mission is to provide unprecedented vision into cybersecurity risks within software source code. Our products provide essential insight necessary for sagacity – the discernment to make sound judgements.

We are uniquely positioned to offer innovative technology that vastly improves and streamlines application security. Leveraging over 30 years of proprietary data on the mathematical quantification of software behavior, our two flagship tools offer practical solutions to reduce cyber risk and raise productivity.

93%

of all breaches have application defects as their root cause

~50%

of all software is released with severe embedded security vulnerabilities

Reducing risk starts with advancing application security to be more effective and useful. Our products address many of the issues identified by industry participants:

AST tools produce noisy results at unmanageable levels

Developers lack the data to grasp the security implications of defects

No existing AppSec tool determines defect/ application financial loss or ROI projections

No AppSec tool supports Zero Trust by determining the attacks and consequences of defects

Current application security industry has critical deficiencies: inaccurate and incomplete AST data, inadequate risk analysis, non-statistical methods, incorrect prioritization methods, lack of attack and consequence data and no AppSec financial analytics.

Feature Comparison

Industry Approach

Our Approach

AST Tool Assessments

No assessments done

For a specific application, determine coverage and accuracy of important defects by each AST tool; Analyze every rule for every vendor supported

AST Scan Results

Merge Results; >60% of defect descriptions are inaccurate by SAST/DAST vendors

Normalize and correct mis-characterized and mis-aligned defects.

Duplicates &False Positives

Remove duplicates incorrectly. Does not automate false positive identification; Result: defect mis-alignments diminish value (95% inaccuracies)

Accurate de-duplication using source-sink, parentchild and cause-effect. Automated likelihood analysis and quick resolution of false positives

Predictive Analytics

Limited. Some “risk” scoring that doesn’t include likelihood. Attack vector analysis with no impact on AppSec prioritization

Perform ease-of exploitation analysis to determine probability of attack. Determine the probability of every consequence of each defect. 34 unique consequence types vs. 7

Prioritization

Assign defects to a small number of buckets: severe, moderate and minor. Inaccurately narrows severe defects

4 approaches: (1) statistical 1:N ranking; (2) 1:N ROI and financial loss ranking; (3) 1:N mission critical consequence or attack ranking; (4) any combination of (1) – (3)

Results

80% of severe defects labeled as minor; >95% of “severe” defects actually not severe

Improve productivity with detailed ranking and guidance. ROI enables informed decision making. Knowing attacks and consequences essential for mission critical applications

Enabling Software Cybersecurity Requirements

No other tools offer similar capabilities to effectively solve Zero Trust and Secure by Design initiatives

Our Products Enable Cyber Risk Initiatives in AppSec

Secure-by-Design

Problem:

CISA’s drive to build security into the design and code of software

Solutions:

  • SATraits determines the effectiveness of AppSec programs.
  • SATriage maximizes cost effective risk reduction
Zero Trust

Problem:

DoD and NSA’s initiative to shift cybersecurity to software source code and eliminate all mission critical defects

Solutions:

  • SATraits enables analysis of false negatives – that is, defects that are not being found.
  • Zero trust means certain consequences cannot happen.
  • SATriage is the only tool to determine all consequences of defects found in AppSec.
Regulation Compliance

Problem:

NIST software regulations describe attacks, consequences, and defect types that must not be present in software

Solutions:

  • SATraits describes the quantity of defects that is not being found and subject to non-compliance.
  • SATriage is the only tool that searches for attack and consequence types among defects.
SBOM risk assessment

Problem:

Need to understand the risk of third-party and open source code

Solutions:

  • Our tools assess two sources of third-party risks: the coverage of third-party validation efforts and the financial and technical risks of third party software
Zero Day Defect Reduction

Problem:

80% of defects found by MDR are zero days

Solutions:

  • No single AST tool results in more than 20% coverage.
  • SATraits will inform you of your AppSec defect coverage and Zero Day expectations.

Powered by 30 years of R&D, 10M’s curated defects, 700 databases of code/defect behavior statistics

Contact Us