Under the ASTAM program, the OWASP Code Pulse tool is undergoing further development, expanding its capabilities, language access, and greatly enhancing its utility.

Code Pulse is an OWASP open-source tool that provides insight into the real-time code coverage of testing activities. During penetration testing activity, Code Pulse visualizes the portions of the attack surface as the code is exercised, in real time. This greatly enhances visibility into an application’s current security status and helps the testing team identify where their tools’ coverage overlaps, and where testing gaps exist. Armed with this information, the security team can accurately and effectively configure their pen testing tools to ensure that the application’s attack surface is exercised as thoroughly as possible. Further, this visibility allows application security professionals to evaluate their tools’ efficacy for their specific needs.

The code coverage is visualized with an easily understood tree map, which displays the application’s attack surface. As tests are conducted, Code Pulse highlights the tree map boxes that correspond to the application method being called, as reported by a Code Pulse tracer. These traces can be recorded, and multiple test results can be displayed simultaneously, so that different tests can be compared for overlaps and gaps. Additional functionality also displays a simple Percent Coverage column, which provides a running tally of code coverage, both overall and by application area.

Originally providing support for Java applications, it now also supports applications written in .NET.  Future enhancements will include support for additional languages and frameworks, integration with Hybrid Analysis Mapping and vulnerability management tools.

A critical aspect of application security is being able to measure the success of application security testing tools and programs, and reporting the results and status of analysis outcomes—remediation history, code review records, vulnerability trends, and changes in an application’s security status over time are examples of such analysis. Few tools provide robust options to display metrics and reports, however, which makes tracking and overseeing these details and analyzing security risks more difficult.

The ASTAM program has developed a security metrics and reporting dashboard for application vulnerability management systems. This capability helps security practitioners and managers quickly assess their applications’ security statuses, track software vulnerability trends over time, structure and direct resources to where they are needed most, and better understand the effectiveness of their application security policies and procedures to refine them. Metrics captured and displayed include a software risk score, finding counts over time, length of time for findings to be remediated based on severity, types of security issues, and much more.

ADAPT is an open source tool that performs automated application penetration testing for web applications. It is designed to increase accuracy, speed, repeatability and confidence in penetration testing efforts. It automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs categorized findings based on these potential vulnerabilities.

The ASTAM program has developed software that combines state of the art testing procedures with frequent updates, including new attack vectors. The ASTAM team has developed automated penetration tests based on selected test cases from the OWASP Testing Catalogue. The ADAPT system will automatically run this wide, effective range of tests, across multiple testing categories, with better code and vulnerability coverage. These automated dynamic tests are rolled into a single application, which can be inserted into a continuous integration environment.

When measuring the strength of an application’s security, it is often useful to identify threats modeled after the types expected to attack the application. This process, known as threat modeling, helps security professionals and developers understand the strengths and weaknesses of their application’s security.

The ASTAM program has developed software that automates this threat modeling process. The software automatically generates security threat models, at any point during the software development lifecycle. It breaks down the application’s code to pinpoint architectural vulnerabilities, then creates a threat based on existing libraries, such as CAPEC, CWE, and a new Generic Threat Library developed by the ASTAM project.

Future improvements envisioned are security requirements-based threat analysis—decision-making aids, designed to provide guidance for security professionals and developers, so that they can develop secure code as they write the application. Each modeled threat will provide further insight and guidance for the development and security teams to reduce the risk from that threat.

All of these functions serve to significantly reduce the cost of the application security process, including requirements, architecture and code reviews, audits, and threat identification.

The PTA tools are open source tools designed to automate, enhance, and simplify dynamic application security testing, and increase efficiency and repeatability. The software is an extensible pen testing platform, with pluggable architecture to support automated execution of grouped pen testing tools. This allows testers to run extensive, thorough experiments and tests, quickly and efficiently. Pluggable pen testing tools included with this framework include ESM-7, Crydra-16, and Xssmap.

The Cyber Quantification Framework (CQF) streamlines and automates the design, configuration, and execution of penetration tests within a virtualized environment. CQF abstracts the virtualization details required to set up an automated environment. It can be used for a variety of tasks, including continuous integration, administrating several redundant servers, or automating security testing.  Using this framework, attack designers no longer have to concern themselves with setting up a virtual environment or administrating it.

Effective pen testers understand that repeatability, isolation, and speed are critical. Current platforms require additional layers of abstraction to maintain isolation and repeat attacks, and testers are forced to choose either speed or thoroughness.

CQF removes that layer of abstraction, so pen testers can focus on being thorough and effective, rather than concerning themselves with virtualization and isolation details.

Robust application security testing processes require running multiple tools—which in turn requires coordination, extensive workflow planning, and significant management effort. The ASTAM program is developing an application security testing orchestration capability, which will automate the workflow of running selected commercial and open source application security testing tools, and provide an interface through which to manage testing activity. Using a distributed Kubernetes architecture, tools—both SAST and DAST—can be run automatically from a separate, unified console. From this central hub, workflows, testing processes, and oversight can be planned, coordinated, and executed from one place.

Because high-quality application security testing protocols and processes are so notoriously difficult, time-consuming, and expensive to manage effectively, by reducing the management and resource burdens significantly, this Application Security Testing Orchestration capability will help development companies adopt a program of their own. Once development is complete, the ASTAM program will open-source the orchestration framework with a reference implementation for other tools to be added.

The ASTAM project is developing a method by which all identified vulnerabilities—both application security (AppSec) and network security (NetSec) vulnerabilities—will be combined into a single, consolidated view. This will help organizations better prioritize critical risks, identify potential threats, increase overall cyber risk awareness, and improve cyber risk management decision making.

Currently, network security and application security are regarded as separate activities, but this is not truly the case. Applications represent threats to networks if they are unsecure, and networks represent threats to applications if they are unsecure. Therefore, both network and application security professionals have a vested interest in their counterparts’ activity and security.

This technology developed under the ASTAM program will provide organizations the ability to quickly evaluate network and application vulnerabilities from a single consolidated and holistic view, effectively uniting some currently independent AppSec and NetSec activities.

The ASTAM program is developing technologies to help developers and analysts manage large volumes of application security test findings. Our goal is to reduce the number of findings that people must review and sort the most actionable findings to the top of the queue. Today, too many findings that people don’t care about frustrate security testing efforts and consume large amounts of labor.

During the first phase of work, we evaluated and integrated technology into a leading application vulnerability management system that makes it practical to use open source vulnerability scanners in software engineering pipelines. Most open source scanners lack the ability to suppress repeat findings as source code is edited over time. Our technology calculates file differences and uses the information to merge security testing findings across successive scans of a software application. We have demonstrated a 50-90% reduction in the number of findings that developers or analysts have to triage with this technology.

During the second phase of work, currently under development, we are evaluating and implementing technologies to classify and prioritize the actionability of security testing findings. Based on a solid foundation of academic research, the technology employs machine learning to associate properties of findings and the software under test with past triage decisions. Our technology creates models that can then be used to predict the actionability of newly discovered security testing findings.

The ASTAM project aims to eliminate barriers for software development companies to enhance their application security program or software engineering processes. We are confident that these automated triage assistance technologies will reduce some of the most resource-intensive aspects of application security testing.