2. Company Overview
2
More than
1,250
customers
10+ customers
with 100Kusers
worldwide
Leader
in enterprise data-
centric security space
Building Security
into the
Data and Software60%
with security consulting
or engineering
backgrounds
300
employees
Founded in
June, 2000
Installed base of over
2.5Musers
5. Quick Look at Sparrow
• WHISTLE (Analyzer Client)
⚡ Defining target programs and
policies
• SAE (Analysis Engine)
⚡ Analyzing program codes
• NEST (Analysis Management
System)
⚡ Showing details of error type,
path, functions, suggested code
changes and analysis reports
SAE (Sparrow Analysis Engine)
NEST (Analysis Management System)
Sparrow Server
Development Server/Client (w/ Source Code)
WHISTLE (Analyzer Client)
or Eclipse Plugin w/ Analysis Engine
6. Dynamic Policy Enforcement
• Enforce multiple policies dynamically to different projects,
users/groups and project phases
7. Deep Semantic Analysis
• Interprocedural analysis
(context and path-sensitive
analysis + symbolic execution)
• False path pruning by
constraint solving
• Semantic analysis (data-flow,
value, pointer, structure, and
class analysis) + abstract
interpretation for dead code
detection
• Syntactic analysis (comment,
pattern-based analysis)
Supporting Web Framework
• Analyzing spring/struts web
application
⚡ Control/dataflow of MVC
(model, view, control)
architecture
⚡ Annotation based configuration
⚡ Dependency injection
⚡ Configuration files
Accurate Analysis
8. Accurate Analysis (Cont’d)
Common Weakness
Sparrow Vendor H
True False True False
HTTP response splitting 1 0
Private Array-Typed Field Returned From A Public Method 1 0
SQL injection 2 3 12
Path Traversal & Resource Injection 4 2
Null deference 74 2 3
Reliance on Untrusted Inputs in a Security Decision 1 0
Improper Check for Unusual or Exceptional Conditions 53 53
Resource Leak 109 19
Open Redirect 3 0
Improper Error Handling 6 6 2
Information Exposure Through an Error Message 57 53
Exposure of Data Element to Wrong Session 4 0
Use of Insufficiently Random Values 2 8
Integer Overflow 1 0
Leftover Debug Code 1 1
Information Exposure Through Comments 0 9 4
Cleartext Storage of Sensitive Information 0 1
Cross-site scripting 3 10
Cross-site Request Forgery 1 0
Hard coded password 2 5 0
Total 325 2 173 18
Tool Time Target program # of File Total LOC Executable LOC
Sparrow 4m 42s
Webgoat 191 44,645 27,531
Vendor H 19m 22s
9. Intelligent Issue Clustering
• Clustering similar issues in groups that will allow organizations to
identify and fix the issues efficiently
10. Active Suggestion
• Not only identify software vulnerabilities, but also has an ability to
remediate code using automated code suggestions.
14. Customer in Financial Verticals
• Key fact
⚡ Industry: Financial/Banking
⚡ Revenue: US$22.7B (Assets: $204.3B)
⚡ Headcount: 100K
• Challenge
⚡ Develop and deliver an efficient and effective static application security
testing environment for all business applications developed, maintained
and operated by the Bank’s IT Department.
• Solution
⚡ Enforced secure coding policies set by IT and Security Group to all Dev
environments (approx. 1,450 developers)
⚡ Inspected more than 233 project source code for security and quality
⚡ Added reporting capabilities of security vulnerability and quality issue
related statistical analysis periodically (identified and fixed approx. 1,000
vulnerabilities annually since 2014)
15. Customer in Financial Verticals (Cont’d)
Source Code
Management Server
Operating
Server
Development
Servers
(233 Projects)
Sparrow
Servers
Developers
(1,450 Seats)
Admin
Transfer secure
source code
Check-in request
Approve/reject
check-in request
based on the secure
coding policy
Define/manage
secure coding policy
Review status of
projects and generate
reports
Request security
assessment results
of source code
Validate the
request
Sends analysis results
and pre-processed data
Managing code
analysis results
*4 active servers
Managing secure
projects
Execute code analysis
Review the analysis results
16. Fasoo has been successfully building its worldwide reputation as an EDRM (enterprise digital rights management
aka information rights management, IRM) solution provider with industry leading solutions and services. Fasoo
solutions allow organizations to prevent unintended information disclosure or exposure, ensure a secure
information-sharing environment, better manage workflows and simplify secure collaboration internally and
externally. Fasoo Enterprise DRM, a data-centric security solution safeguards and prevents unauthorized use of
digital files and provides persistent and reliable protection of the documents with effective file encryption,
permission control and audit trail technologies. Fasoo has successfully retained its leadership in the EDRM
market by deploying solutions for more than 1,250 organizations in enterprise-wide level, securing more than 2.5
million users. Fasoo also has foresight to plan for future expansion through new business models including static
code analysis/SAST (Sparrow), content-centric data lifecycle management solutions (Wrapsody) and intelligent
lifelog solutions (DigitalPage).
North America Headquarters
197 State Route 18 South, East Brunswick, NJ 08817, USA
Global Headquarters
396 World Cup buk-ro, Mapo-gu, Seoul 121-795, Korea
Web: www.fasoo.com
Email: inquiry@fasoo.com
Phone: (732) 955-2333 (NA HQ) | +82-2-300-9000 (Global HQ)