The Application Security Technologies and Metrics (ASTAM) program is a U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded project that seeks to improve the security of software through the development and enhancement of technologies that support all aspects of the secure software development lifecycle.

The technologies being developed under ASTAM automate techniques used to identify cyber security threats to software applications, improve insight into code testing coverage, make it easier to incorporate AppSec into the software development pipeline, and provide meaningful metrics to security analysts and cyber risk managers about the status, progress, and trends of application security.

The ASTAM program brings automation to the largely manual application security process, developing several technologies as independent capabilities, such as those highlighted below.

ASTAM TECHNOLOGIES

Attack Surface Detector (ASD)

Automated penetration tests are a popular and effective method to identify exploitable vulnerabilities for an application, but often suffer capability gaps that are difficult to overcome with current tools. The most significant problem is that an application’s attack surface is often not fully enumerated prior to testing, and consequently part of that attack surface goes unexercised.

Currently, unlinked endpoints must be identified by manual code review, which is a time-consuming—and therefore expensive—process.

The Attack Surface Detector, developed under the ASTAM program, is a pair of plugins for widely adopted DAST tools, Portswigger’s Burp Suite and OWASP ZAP (Zed Attack Proxy). These plugins will automatically examine the application’s source code via static analysis, finding hidden or unlinked endpoints in the process, and further identifying their optional parameters and data types, which most DAST scans will miss. This greatly broadens the visible, testable portions of the application’s attack surface, providing the basis for more thorough penetration testing. This newly enumerated surface can then be spidered and tested with Burp Suite or OWASP ZAP, or manually pen-tested. In addition, a command line interface (CLI) version of the Attack Surface Detector was developed that provides the ability to detect endpoints without pointing at an active server or source code. Endpoints are output to a JSON file that can then be imported into Burp and ZAP.

  • Identifying of unlinked endpoints

  • Uncovering optional parameters

  • Uncovering parameter datatypes and names

  • Leveraging attack surface difference generator to highlight differences between selected versions of your application

  • Automatically generating HTTP requests based on metadata discovered during hybrid analysis

  • Leveraging Burp and ZAP pen testing tools using ASD identified endpoints and parameters within a common testing environment

  • Ability to import endpoints from the ASD command line interface (CLI) tool output, removing the need to provide direct access to source code

  • Struts

  • Django

  • Ruby on Rails

  • ASP.NET MVC

  • ASP.NET Web Forms

  • JSP/Java Servlets

  • Spring MVC

  • Identify attack surface gaps – fills in gaps in the visible attack surface by locating unlinked endpoints that go unobserved during traditional spidering and brute force testing efforts

  • Enhanced parameter detection – identifies optional parameters that could go unnoticed which may open back door vulnerabilities in your applications

  • Reduced effort and costs – reduced manual efforts to detect attack surface gaps and optional parameters saves time and money

  • Focus of penetration testing on newly identified attack surfaces

  • Easy installation – available as an open source project through GitHub, the OWASP ZAP Marketplace and coming soon to the PortSwigger BApp Store

  • PHP support is being added through community collaboration

  • Process multiple frameworks for the same project

  • Integration of ASD into more automated pen testing pipelines

ASD for PortSwigger Burp Suite

ASD Command-line tool

Resources

Give us Feedback!

Code Pulse

Under the ASTAM program, the OWASP Code Pulse tool is undergoing further development, expanding its capabilities, language access, and greatly enhancing its utility.

Code Pulse is an OWASP open-source tool that provides insight into the real-time code coverage of testing activities. During penetration testing activity, Code Pulse visualizes the portions of the attack surface as the code is exercised, in real time. This greatly enhances visibility into an application’s current security status and helps the testing team identify where their tools’ coverage overlaps, and where testing gaps exist. Armed with this information, the security team can accurately and effectively configure their pen testing tools to ensure that the application’s attack surface is exercised as thoroughly as possible. Further, this visibility allows application security professionals to evaluate their tools’ efficacy for their specific needs.

The code coverage is visualized with an easily understood tree map, which displays the application’s attack surface. As tests are conducted, Code Pulse highlights the tree map boxes that correspond to the application method being called, as reported by a Code Pulse tracer. These traces can be recorded, and multiple test results can be displayed simultaneously, so that different tests can be compared for overlaps and gaps. Additional functionality also displays a simple Percent Coverage column, which provides a running tally of code coverage, both overall and by application area.

Originally providing support for Java applications, it now also supports applications written in .NET.  Future enhancements will include support for additional languages and frameworks, integration with Hybrid Analysis Mapping and vulnerability management tools.

  • Real-time insight –See what code is called, in real-time, as a result of your testing activities

  • Detailed coverage information–See coverage from a high-level overview down to individual methods.

  • Application Inventory–Understand the structure and dependencies of the application that you’re testing, right from the Code Pulse interface.

  • Visualizations–See code coverage in a single at-a-glance visual interface.

  • Separate recordings–Keep track of which testing activity executed which parts of the code.

  • Multi-session traces–Record and maintain coverage data over the course of multiple testing sessions.

  • Share/Export–Easily export and share your code coverage with others.

  • Work with any testing tool–Track coverage information regardless of which testing tool you use.

  • Third-party vulnerability identification–Integrate directly with OWASP Dependency Check to automatically get notifications when a third party dependency has a known vulnerability.

  • Find Gaps in Your Code Testing–Code Pulse gives you visual understanding of how well your tests cover the code, and where the gaps are. Even if the tester visited a page, certain critical code paths may not have been triggered. Code Pulse shows exactly what methods were called during testing, letting you understand precisely where the code coverage gaps are.

  • Compare Coverage Across Testing Tools–Code Pulse monitors and compares the coverage of automated application penetration testing tools, giving you a visual picture of code coverage overlaps and gaps.

  • Communicate Effectively–Coverage activity can be exported and shared with others, helping you use your testing tools more effectively.

  • Tune Automated Tools–You can monitor automated tool coverage in real time with Code Pulse, which lets you rapidly fine-tune the configuration of your testing tools to achieve the most effective test coverage.

Download tool

Resources

Hybrid Analysis Mapping (HAM)

Hybrid Analysis Mapping combines the results from the two most common types of application security testing tools—static and dynamic application security testing (SAST and DAST). DAST tools examine code from the outside-in, testing the application for vulnerabilities that can be exploited by an attacker. SAST tools examine the code from the inside-out, identifying vulnerable sections of source code that can be compromised if not secured. They both have their strengths and weaknesses; SAST tools especially tend to return lengthy lists of findings that must be manually reviewed, as many are false positives, or are otherwise unexploitable from the outside.

Hybrid Analysis uses DAST tools to examine these SAST results, mapping source code vulnerabilities discovered by SAST tools against exploits identified by DAST tools. This allows rapid prioritization, as the list of confirmed vulnerabilities is significantly shorter, easier to manage, and a much more significant threat than potential vulnerabilities.

The ASTAM project has developed a method by which Hybrid Analysis can be conducted rapidly, automatically, and effectively. This Hybrid Analysis method has been developed to integrate with popular existing correlation engines, such as SWAMP-in-a-Box, Code Dx Enterprise, and Threadfix.

Application Security Metrics Dashboard and Reporting

A critical aspect of application security is being able to measure the success of application security testing tools and programs, and reporting the results and status of analysis outcomes—remediation history, code review records, vulnerability trends, and changes in an application’s security status over time are examples of such analysis. Few tools provide robust options to display metrics and reports, however, which makes tracking and overseeing these details and analyzing security risks more difficult.

The ASTAM program has developed a security metrics and reporting dashboard for application vulnerability management systems. This capability helps security practitioners and managers quickly assess their applications’ security statuses, track software vulnerability trends over time, structure and direct resources to where they are needed most, and better understand the effectiveness of their application security policies and procedures to refine them. Metrics captured and displayed include a software risk score, finding counts over time, length of time for findings to be remediated based on severity, types of security issues, and much more.

Automated Dynamic Application Pen Testing (ADAPT)

ADAPT is an open source tool that performs automated application penetration testing for web applications. It is designed to increase accuracy, speed, repeatability and confidence in penetration testing efforts. It automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs categorized findings based on these potential vulnerabilities.

The ASTAM program has developed software that combines state of the art testing procedures with frequent updates, including new attack vectors. The ASTAM team has developed automated penetration tests based on selected test cases from the OWASP Testing Catalogue. The ADAPT system will automatically run this wide, effective range of tests, across multiple testing categories, with better code and vulnerability coverage. These automated dynamic tests are rolled into a single application, which can be inserted into a continuous integration environment.

ThreatVector / Application Threat Modeling

When measuring the strength of an application’s security, it is often useful to identify threats modeled after the types expected to attack the application. This process, known as threat modeling, helps security professionals and developers understand the strengths and weaknesses of their application’s security.

The ASTAM program has developed software that automates this threat modeling process. The software automatically generates security threat models, at any point during the software development lifecycle. It breaks down the application’s code to pinpoint architectural vulnerabilities, then creates a threat based on existing libraries, such as CAPEC, CWE, and a new Generic Threat Library developed by the ASTAM project.

Future improvements envisioned are security requirements-based threat analysis—decision-making aids, designed to provide guidance for security professionals and developers, so that they can develop secure code as they write the application. Each modeled threat will provide further insight and guidance for the development and security teams to reduce the risk from that threat.

All of these functions serve to significantly reduce the cost of the application security process, including requirements, architecture and code reviews, audits, and threat identification.

Pen Testing Automation (PTA)

The PTA tools are open source tools designed to automate, enhance, and simplify dynamic application security testing, and increase efficiency and repeatability. The software is an extensible pen testing platform, with pluggable architecture to support automated execution of grouped pen testing tools. This allows testers to run extensive, thorough experiments and tests, quickly and efficiently. Pluggable pen testing tools included with this framework include ESM-7, Crydra-16, and Xssmap.

Attack Simulator: Cyber Quantification Framework (CQF)

The Cyber Quantification Framework (CQF) streamlines and automates the design, configuration, and execution of penetration tests within a virtualized environment. CQF abstracts the virtualization details required to set up an automated environment. It can be used for a variety of tasks, including continuous integration, administrating several redundant servers, or automating security testing.  Using this framework, attack designers no longer have to concern themselves with setting up a virtual environment or administrating it.

Effective pen testers understand that repeatability, isolation, and speed are critical. Current platforms require additional layers of abstraction to maintain isolation and repeat attacks, and testers are forced to choose either speed or thoroughness.

CQF removes that layer of abstraction, so pen testers can focus on being thorough and effective, rather than concerning themselves with virtualization and isolation details.

Application Security Testing Orchestration (ASTO)

Robust application security testing processes require running multiple tools—which in turn requires coordination, extensive workflow planning, and significant management effort. The ASTAM program is developing an application security testing orchestration capability, which will automate the workflow of running selected commercial and open source application security testing tools, and provide an interface through which to manage testing activity. Using a distributed Kubernetes architecture, tools—both SAST and DAST—can be run automatically from a separate, unified console. From this central hub, workflows, testing processes, and oversight can be planned, coordinated, and executed from one place.

Because high-quality application security testing protocols and processes are so notoriously difficult, time-consuming, and expensive to manage effectively, by reducing the management and resource burdens significantly, this Application Security Testing Orchestration capability will help development companies adopt a program of their own. Once development is complete, the ASTAM program will open-source the orchestration framework with a reference implementation for other tools to be added.

Combining Network and Application Vulnerabilities

The ASTAM project is developing a method by which all identified vulnerabilities—both application security (AppSec) and network security (NetSec) vulnerabilities—will be combined into a single, consolidated view. This will help organizations better prioritize critical risks, identify potential threats, increase overall cyber risk awareness, and improve cyber risk management decision making.

Currently, network security and application security are regarded as separate activities, but this is not truly the case. Applications represent threats to networks if they are unsecure, and networks represent threats to applications if they are unsecure. Therefore, both network and application security professionals have a vested interest in their counterparts’ activity and security.

This technology developed under the ASTAM program will provide organizations the ability to quickly evaluate network and application vulnerabilities from a single consolidated and holistic view, effectively uniting some currently independent AppSec and NetSec activities.

Automated Triage Assistance

The ASTAM program is developing technologies to help developers and analysts manage large volumes of application security test findings. Our goal is to reduce the number of findings that people must review and sort the most actionable findings to the top of the queue. Today, too many findings that people don’t care about frustrate security testing efforts and consume large amounts of labor.

During the first phase of work, we evaluated and integrated technology into a leading application vulnerability management system that makes it practical to use open source vulnerability scanners in software engineering pipelines. Most open source scanners lack the ability to suppress repeat findings as source code is edited over time. Our technology calculates file differences and uses the information to merge security testing findings across successive scans of a software application. We have demonstrated a 50-90% reduction in the number of findings that developers or analysts have to triage with this technology.

During the second phase of work, currently under development, we are evaluating and implementing technologies to classify and prioritize the actionability of security testing findings. Based on a solid foundation of academic research, the technology employs machine learning to associate properties of findings and the software under test with past triage decisions. Our technology creates models that can then be used to predict the actionability of newly discovered security testing findings.

The ASTAM project aims to eliminate barriers for software development companies to enhance their application security program or software engineering processes. We are confident that these automated triage assistance technologies will reduce some of the most resource-intensive aspects of application security testing.