Application Security Testing Assurance Metrics2019-01-15T10:54:39+00:00

The Application Security Technologies and Metrics (ASTAM) program is a U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded project that seeks to improve the security of software through the development and enhancement of technologies that support all aspects of the secure software development lifecycle.

The technologies being developed under ASTAM automate techniques used to identify cyber security threats to software applications, improve insight into code testing coverage, make it easier to incorporate AppSec into the software development pipeline, and provide meaningful metrics to security analysts and cyber risk managers about the status, progress, and trends of application security.

The ASTAM program brings automation to the largely manual application security process, developing several technologies as independent capabilities, such as those highlighted below.

ASTAM TECHNOLOGIES

Attack Surface Detector (ASD)

Automated penetration tests are a popular and effective method to identify exploitable vulnerabilities for an application, but often suffer capability gaps that are difficult to overcome with current tools. The most significant problem is that an application’s attack surface is often not fully enumerated prior to testing, and consequently part of that attack surface goes unexercised.

Currently, unlinked endpoints must be identified by manual code review, which is a time-consuming—and therefore expensive—process.

The Attack Surface Detector, developed under the ASTAM program, is a pair of plugins for widely adopted DAST tools, Portswigger’s Burp Suite and OWASP ZAP (Zed Attack Proxy). These plugins will automatically examine the application’s source code via static analysis, finding hidden or unlinked endpoints in the process, and further identifying their optional parameters and data types, which most DAST scans will miss. This greatly broadens the visible, testable portions of the application’s attack surface, providing the basis for more thorough penetration testing. This newly enumerated surface can then be spidered and tested with Burp Suite or OWASP ZAP, or manually pen-tested. In addition, a command line interface (CLI) version of the Attack Surface Detector was developed that provides the ability to detect endpoints without pointing at an active server or source code. Endpoints are output to a JSON file that can then be imported into Burp and ZAP.

  • Identifying of unlinked endpoints

  • Uncovering optional parameters

  • Uncovering parameter datatypes and names

  • Leveraging attack surface difference generator to highlight differences between selected versions of your application

  • Automatically generating HTTP requests based on metadata discovered during hybrid analysis

  • Leveraging Burp and ZAP pen testing tools using ASD identified endpoints and parameters within a common testing environment

  • Ability to import endpoints from the ASD command line interface (CLI) tool output, removing the need to provide direct access to source code

  • Struts

  • Django

  • Ruby on Rails

  • ASP.NET MVC

  • ASP.NET Web Forms

  • JSP/Java Servlets

  • Spring MVC

  • Identify attack surface gaps – fills in gaps in the visible attack surface by locating unlinked endpoints that go unobserved during traditional spidering and brute force testing efforts

  • Enhanced parameter detection – identifies optional parameters that could go unnoticed which may open back door vulnerabilities in your applications

  • Reduced effort and costs – reduced manual efforts to detect attack surface gaps and optional parameters saves time and money

  • Focus of penetration testing on newly identified attack surfaces

  • Easy installation – available as an open source project through GitHub, the OWASP ZAP Marketplace and coming soon to the PortSwigger BApp Store

  • PHP support is being added through community collaboration

  • Process multiple frameworks for the same project

  • Integration of ASD into more automated pen testing pipelines

About ASD OWASP Project

ASD for OWASP-ZAP

Get plugin
Read Install guide

ASD for PortSwigger Burp Suite

Get plugin
Read Install guide

ASD Command-line tool

Get tool

Resources

Give us Feedback!

Fact sheet
Watch ASD Burp Suite Video
Watch ASD NopSec Video