Under the ASTAM program, the OWASP Code Pulse tool is undergoing further development, expanding its capabilities, language access, and greatly enhancing its utility.
Code Pulse is an OWASP open-source tool that provides insight into the real-time code coverage of testing activities. During penetration testing activity, Code Pulse visualizes the portions of the attack surface as the code is exercised, in real time. This greatly enhances visibility into an application’s current security status and helps the testing team identify where their tools’ coverage overlaps, and where testing gaps exist. Armed with this information, the security team can accurately and effectively configure their pen testing tools to ensure that the application’s attack surface is exercised as thoroughly as possible. Further, this visibility allows application security professionals to evaluate their tools’ efficacy for their specific needs.
The code coverage is visualized with an easily understood tree map, which displays the application’s attack surface. As tests are conducted, Code Pulse highlights the tree map boxes that correspond to the application method being called, as reported by a Code Pulse tracer. These traces can be recorded, and multiple test results can be displayed simultaneously, so that different tests can be compared for overlaps and gaps. Additional functionality also displays a simple Percent Coverage column, which provides a running tally of code coverage, both overall and by application area.
Originally providing support for Java applications, it now also supports applications written in .NET. Future enhancements will include support for additional languages and frameworks, integration with Hybrid Analysis Mapping and vulnerability management tools.