/ / Application Security Testing, Software Assurance
Application Security Testing, Software Assurance2018-11-02T12:12:50+00:00

Secure Decisions has built a comprehensive portfolio of R&D and commercially available software tools for application security.

Application Security Technologies and Metrics

The ASTAM System
Read the press release article

The Application Security Technologies and Metrics (ASTAM) program is a U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded project that seeks to improve the security of software through the development and enhancement of technologies that support all aspects of the secure software development lifecycle.

The technologies being developed under ASTAM automate techniques used to identify cyber security threats to software applications, improve insight into code testing coverage, make it easier to incorporate AppSec into the software development pipeline, and provide meaningful metrics to security analysts and cyber risk managers about the status, progress, and trends of application security.

The ASTAM program brings automation to the largely manual application security process, developing several technologies as independent capabilities, such as those highlighted below.

Hybrid Analysis Mapping

Hybrid Analysis Mapping combines the results from the two most common types of application security testing tools—static and dynamic application security testing (SAST and DAST). DAST tools examine code from the outside-in, testing the application for vulnerabilities that can be exploited by an attacker. SAST tools examine the code from the inside-out, identifying vulnerable sections of source code that can be compromised if not secured.  Read more

Attack Surface Detector (ASD)

ASD is an OWASP open source tool plugin that can be added to BurpSuite and OWASP ZAP testing toolboxes to help ensure more thorough penetration testing coverage.  ASD conducts a static analysis scan of an application’s source code, finding hidden endpoints and parameters that a typical dynamic scan will likely miss. This helps to more comprehensively reveal an application’s attack surface, which can then be spidered and attacked with BurpSuite and ZAP.  Read more

Code Pulse

Code Pulse is an OWASP open-source tool that provides insight into the real-time code coverage of testing activities. While undergoing penetration testing for an application, Code Pulse visualizes the portions of the attack surface as the code is exercised, in real time. This greatly enhances visibility into an application’s current security status, and helps the testing team identify where their tools’ coverage overlaps, and where testing gaps exist.  Read more

Download from Github
Download from Github
Watch the video
OWASP PROJECT
Factsheet
Download from Github
Watch the video
OWASP PROJECT
Factsheet

Pen Testing Automation (PTA)

The PTA tools are open source tools designed to automate, enhance, and simplify dynamic application security testing, and increase efficiency and repeatability. The software is an extensible pen testing platform, with pluggable architecture to support automated execution of grouped pen testing tools.  Read more

Attack Simulator: Cyber Quantification Framework (CQF)

The Cyber Quantification Framework (CQF) is a framework designed to abstract away the virtualization details of setting up an automated testing environment. It streamlines and automates the design, configuration, and execution of penetration tests within a virtualized environment. It can be used for a variety of tasks, including continuous integration, administrating several redundant servers, or automating security testing.  Read more

Threat Vector / Application Threat Modeling

Threat Vector is a semi-automated and interactive threat modeling tool. It measures the strength of an application’s security by identifying threats modeled after the types expected to attack an application. It synthesizes an application’s security architecture and maps threats and associated attack patterns onto that architecture based on an analysis of source code and the technical design decisions made by developers. It generates threats based on security requirements provided by the user.  By doing so, it helps developers understand the strengths and weaknesses of their application’s security.  Read more

Download from Github
Download from Github
Watch the video

Automated Dynamic Application Pen Testing (ADAPT)

ADAPT is an open source tool that performs automated application penetration testing for web applications. It is designed to increase accuracy, speed, repeatability and confidence in penetration testing efforts. It automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs categorized findings based on these potential vulnerabilities.  Read more

Application Security Testing Orchestration (ASTO)

Robust application security testing processes require running multiple tools, which requires coordination, extensive workflow planning, and significant management effort. The ASTAM program is developing an application security testing orchestration capability, which will automate the workflow of running selected commercial and open source application security testing tools (both SAST and DAST), and provide an intuitive unified interface through which to manage testing activity.  Read more

Combining Network and Application Vulnerabilities

The ASTAM program is developing a method by which all identified vulnerabilities—both application security (AppSec) and network security (NetSec) vulnerabilities—will be combined into a single, consolidated view. This will help organizations better prioritize critical risks, identify potential threats, increase overall cyber risk awareness, and improve cyber risk management decision making.  Read more

Download from Github
Watch the video

Automated Triage Assistant (ATA)

The ASTAM program is developing an Automated Triage Assistant for triaging and evaluating application security test findings. Based on a solid foundation of academic research, the ATA will learn triage practices employed by application security analysts and apply those practices automatically to assist in triaging security findings more effectively. Algorithms currently under development aim to address a common problem for security analysts—the ability to automatically predict the movement of source lines of code across successive scans of a software application.  Read more

Application Security Metrics Dashboard and Reporting

The ASTAM program is developing a security metrics and reporting dashboard for application vulnerability management systems. This capability will help security practitioners and managers quickly assess their applications’ security statuses, track software vulnerability trends over time, structure and direct resources to where they are needed most, and better understand the effectiveness of their application security policies and procedures, and refine them. Read more

Application Security Testing / Software Assurance