NORTHPORT, N.Y., Feb. 04, 2019 (GLOBE NEWSWIRE) -- Secure Decisions, a division of Applied Visions, Inc. and a leader in cyber security research, has developed a new application security testing technology, the Attack Surface Detector (ASD), that enhances software penetration testing.
Developed under the Department of Homeland Security Science and Technology Directorate’s multi-year Application Security Technologies and Metrics (ASTAM) program, ASD helps penetration testers by automating discovery of a web application’s hidden endpoints and optional parameters, identifying gaps in an application’s visible attack surface.
Automated penetration testing, a popular method to identify exploitable vulnerabilities in a web application, often fails to identify unlinked endpoints and optional parameters. This leaves untested gaps in an application’s visible attack surface. Relying on manual penetration testing to identify gaps is time-consuming and costly. It does not guarantee complete identification of an application’s attack surface, leaving an application vulnerable despite a pen tester’s best effort to secure it.
The open source ASD plugin tool helps solve this. It is available as a standalone command line interface (CLI) and as plugins for the Burp Suite (from Portswigger) and OWASP ZAP Dynamic Application Securing Testing (DAST) tools. ASD provides a complete picture of a web application’s attack surface by examining the source code via static analysis, finding hidden or unlinked endpoints, and identifying their optional parameters and data types often missed by most DAST scanners. These are then used to pre-seed the Burp Suite and OWASP ZAP scanner tools, making testing faster and more productive.
“A hacker has all the time in the world to poke and prod an application, and only needs to find one vulnerability to compromise sensitive data and leave your application at their mercy,” said Matt DeLetto, Secure Decisions Security Software Engineer. “So, it’s important to thoroughly identify the application’s attack surface. The ASD can help pen testers do just that.”
In a recent case study, CREST-certified penetration testers analyzed the same code base with and without ASD, and compared results. They reported time savings of 4-6 hours compared to the time it would take to perform the task manually.
ASD can detect endpoints in such a way that the owner of the software IP can provide the endpoint information to independent testers without providing the source code for static analysis, protecting their IP while delivering the benefits of a thorough pen test.
The Attack Surface Difference Generator compares different versions of an application and highlights changes in endpoints between the versions, allowing pen testers to focus their testing only on the modified code.
“The value of this tool is clear,” said Brianne O’Brien, Secure Decisions Program Manager for ASTAM. “Reduced pen testing effort through automation and enhanced attack surface coverage equals time and cost savings. Through the ASTAM program we strive to build effective application security tools like ASD that can be used to improve the security posture of web applications, and reduce an organization’s security risk.”
Availability
The ASD plugin is open source and freely available for download from the Portswigger BApp Store, the OWASP ZAP Marketplace, and GitHub:
- https://github.com/secdec/attack-surface-detector-zap
- https://github.com/zaproxy/zap-extensions/releases
- https://github.com/secdec/attack-surface-detector-burp
- https://portswigger.net/bappstore
About the ASTAM Program:
The Application Security Technologies and Metrics (ASTAM) program, funded by the Department of Homeland Security (DHS) Science and Technology Directorate, seeks to improve the security of software through development and enhancement of technologies that support all aspects of the secure software development lifecycle.
ASTAM technologies automate techniques to identify cyber security threats to software applications, improve insight into code testing coverage, make it easier to incorporate AppSec into the software development pipeline, and provide meaningful metrics to security analysts and cyber risk managers about the status, progress, and trends of application security. The program brings automation to the largely manual application security process.
About Secure Decisions:
Secure Decisions, a division of Applied Visions, develops innovative technologies in cyber security, including application security, security education, network defense, and infrastructure protection. Secure Decisions automates manually-intensive security processes and supports analysis and visualization of large amounts of complex security data. Secure Decisions R&D led to development of a new application vulnerability correlation and management system, now commercially available through spin-out Code Dx, Inc.
Karen Higgins
A&E Communications, Inc.
610-831-5723
khiggins@aandecomm.com