/ / Application Security Testing, Software Assurance
Application Security Testing, Software Assurance2018-09-18T10:39:36+00:00

Secure Decisions has built a comprehensive portfolio of R&D and commercially available software tools for application security.

Application Security Technologies and Metrics

The ASTAM System
Read the press release article

The Application Security Technologies and Metrics (ASTAM) program is a U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded project that seeks to improve the security of software through the development and enhancement of technologies that support all aspects of the secure software development lifecycle.

The technologies being developed under ASTAM automate techniques used to identify cyber security threats to software applications, improve insight into code testing coverage, make it easier to incorporate AppSec into the software development pipeline, and provide meaningful metrics to security analysts and cyber risk managers about the status, progress, and trends of application security.

The ASTAM project brings automation to the largely manual application security process, developing several technologies as independent capabilities, such as those highlighted below.

Hybrid Analysis Mapping

Hybrid Analysis Mapping combines the results from the two most common types of application security testing tools—static and dynamic application security testing (SAST and DAST). DAST tools examine code from the outside-in, testing the application for vulnerabilities that can be exploited by an attacker. SAST tools examine the code from the inside-out, identifying vulnerable sections of source code that can be compromised if not secured.  Read more

Attack Surface Detector (ASD)

ASD is an OWASP open source tool plugin that can be added to BurpSuite and OWASP ZAP testing toolboxes to help ensure more thorough penetration testing coverage.  ASD conducts a static analysis scan of an application’s source code, finding hidden endpoints and parameters that a typical dynamic scan will likely miss. This helps to more comprehensively reveal an application’s attack surface, which can then be spidered and attacked with BurpSuite and ZAP.  Read more

Code Pulse

Code Pulse is an OWASP open-source tool that provides insight into the real-time code coverage of testing activities. While undergoing penetration testing for an application, Code Pulse visualizes the portions of the attack surface as the code is exercised, in real time. This greatly enhances visibility into an application’s current security status, and helps the testing team identify where their tools’ coverage overlaps, and where testing gaps exist.  Read more

Download from Github
OWASP PROJECT
Factsheet
OWASP PROJECT
Factsheet

Pen Testing Automation (PTA)

The PTA tools are open source tools designed to automate, enhance, and simplify dynamic application security testing, and increase efficiency and repeatability. The software is an extensible pen testing platform, with pluggable architecture to support automated execution of grouped pen testing tools.  Read more

Attack Simulator: Cyber Quantification Framework (CQF)

The Cyber Quantification Framework (CQF) is a framework designed to abstract away the virtualization details of setting up an automated testing environment. It streamlines and automates the design, configuration, and execution of penetration tests within a virtualized environment. It can be used for a variety of tasks, including continuous integration, administrating several redundant servers, or automating security testing.  Read more

Threat Vector / Application Threat Modeling

Threat Vector is a semi-automated and interactive threat modeling tool. It measures the strength of an application’s security by identifying threats modeled after the types expected to attack an application. It synthesizes an application’s security architecture and maps threats and associated attack patterns onto that architecture based on an analysis of source code and the technical design decisions made by developers. It generates threats based on security requirements provided by the user.  By doing so, it helps developers understand the strengths and weaknesses of their application’s security.  Read more

Download from Github
Download from Github

Automated Dynamic Application Pen Testing (ADAPT)

ADAPT is an open source tool that performs automated application penetration testing for web applications. It is designed to increase accuracy, speed, and confidence in penetration testing efforts. It automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs categorized findings based on these potential vulnerabilities.  Read more

Application Security Testing Orchestration

Robust application security testing processes require running multiple tools, which requires coordination, extensive workflow planning, and significant management effort. The ASTAM program is developing an application security testing orchestration capability, which will automate the workflow of running selected commercial and open source application security testing tools (both SAST and DAST), and provide an intuitive unified interface through which to manage testing activity.  Read more

Combining Network and Application Vulnerabilities

The ASTAM project is developing a method by which all identified vulnerabilities—both application security (AppSec) and network security (NetSec) vulnerabilities—will be combined into a single, consolidated view.  This will help organizations better prioritize critical risks, identify potential threats, increase overall cyber risk awareness, and improve cyber risk management decision making.  Read more

Download from Github

Automated Triage Assistant (ATA)

The ASTAM program is developing an Automated Triage Assistant for triaging and evaluating application security test findings. Based on a solid foundation of academic research, the ATA will learn triage practices employed by application security analysts and apply those practices automatically to rapidly triage security findings. Algorithms currently under development aim to address a common problem for security analysts: the ability to automatically predict the movement of lines of source code across successive scans of a software application.  Read more

Application Security Metrics Dashboard and Reporting

The ASTAM program is developing a security metrics and reporting dashboard for application vulnerability management systems. This capability will help security practitioners and managers quickly assess their applications’ security statuses, track software vulnerability trends over time, structure and direct resources to where they are needed most, and better understand the effectiveness of their application security policies and procedures, and refine them. Read more

Application Security Testing / Software Assurance

Code Ray

Hybrid Analysis Mapping

Two methods for analyzing software security risks are dynamic application security testing (DAST), an outside-in perspective, and static application security testing (SAST), an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time-consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable.

Correlating the results of SAST and DAST can overcome these individual challenges. Secure Decisions is currently engaged in a DHS-funded Phase II SBIR program entitled Code Ray: Software Assurance Risk Management Framework for Hybrid Analysis Mapping, to produce a hybrid analysis method that can be incorporated into Code Dx and into the DHS SWAMP.

The anticipated end result of this R&D program will (1) improve speed, accuracy and confidence in detection of vulnerabilities by cross-mapping and normalizing the output of hybrid techniques – dynamic analysis, dynamic tracing, static analysis, and static contextual analysis; (2) enhance prioritization and mitigation of vulnerabilities by providing both the run-time context for those vulnerabilities and their mapping to security standards; and (3) improve the rapid comprehension and assessment of risks associated with vulnerabilities by delivering results in a simplified risk-management framework. Please review our factsheet to learn more about Code Ray.

Code Ray Presentation
Hybrid analysis
Code Dx Enterprise

Code Dx Enterprise

Software Vulnerability Management System

Code Dx is a software suite that combines and correlates vulnerabilities discovered from separate application security testing tools and techniques. Originally begun as a Small Business Innovation Research project from Department of Homeland Security, Code Dx was first created to fill in the gaps left by using tools individually. Because each application security testing tool and technique only finds a relatively small subset of vulnerabilities, there was a dire need for a solution to ensure maximum attack surface coverage. Rather than attempt to provide an automated testing tool that can only focus on a few types of vulnerabilities, Secure Decisions designed Code Dx to integrate with a wide variety of other tools and techniques, and combine and correlate the results of each in a single, unified interface. Code Dx normalizes the results from multiple tools, techniques, and formats; the end result is a clear, concise view of specific vulnerabilities that are immediately actionable, which is immensely helpful to software security and quality assurance professionals.

After the research period was completed, Secure Decisions successfully transitioned the Code Dx software suite into a commercial product, and spun off a separate company, Code Dx, Inc. to continue support for it. For more information, visit CodeDx.com.

Code Pulse

Penetration testing has proven to be a valuable preventive application security technique. A variety of automated tools and manual approaches are used to assess and expose vulnerabilities in target applications. By definition, black box testing offers little insight into the internals of target applications. Therefore, understanding the code coverage and testing overlap, or perhaps more importantly the coverage boundaries, has often been difficult to ascertain. Secure Decisions has built a free open source tool, Code Pulse, to help overcome these challenges. Code Pulse is a visualization-centric tool that provides insight into the real-time code coverage of black box testing activities. It is a desktop application that runs on most major platforms. Code Pulse has been transitioned into an OWASP project. For more information, please visit the Code Pulse OWASP Project page.

Code Pulse

CWE-Vis

Common Weakness Enumeration Visualization

CWE-Vis is a resource made available to the software assurance community to explore and learn about weaknesses in software. It provides visualizations and interactions with MITRE’s Common Weakness Enumeration (CWE), an international standard created to define a dictionary of software weaknesses. The CWE greatly facilitates the discussion and collaboration in efforts revolving around the always-present quest to improve software systems. CWE-Vis helps users familiarize themselves with the CWE through visual means. High-level CWE structures and detailed relationship graphs are displayed visually helping users gain a better and quicker understanding of the CWE. Powerful filtering and searching is made available to allow users to focus in on the details of how weaknesses can be manifested in source code and ways to avoid and fix them.

Software Assurance Marketplace (SWAMP)

Secure Decisions has developed several professional partnerships and teamed with leaders in the Software Assurance community.

The SWAMP is a forward-looking effort to improve the state of secure software development, particularly for open source projects. Developed by Morgridge and funded by DHS it is a relatively recent effort that will be offering its initial capability in early 2014.