The goal of the Department of Homeland Security Science and Technology Directorate’s (S&T) Application Security Threat and Attack Modeling (ASTAM) Project is to produce new methods for analyzing the security of software applications that will make it faster and easier to adopt application security and identify more vulnerabilities. The technologies developed under ASTAM will automate techniques used to identify cybersecurity threats to software applications, improve insight into code coverage, make it easier to incorporate application security (AppSec) practices into the software development lifecycle, and provide meaningful metrics about the status and progress of application security.
The nation’s critical infrastructure (energy distribution, transportation, financial services, etc.) and society itself are largely controlled by software—and that trend is going to continue. That software must remain secure and operational and protect this critical infrastructure from adversaries is an essential part of the DHS mission. AppSec today is primarily reactive, tends to be executed periodically—even though the threat to software systems is continuous—and leaves many vulnerabilities undiscovered (poor vulnerability coverage). Entities trying to adopt AppSec practices often are confronted with thousands of security weaknesses to prioritize. Discerning what to fix first is a daunting and manually intensive task.
This results in delayed remediation, with vulnerabilities in production software remaining undiscovered or unpatched for months, significantly increasing risk to an organization. Even worse, managers have little ability to guide the process of fixing these problems, as management does not have insight into the status of application security, including delays in finding and patching vulnerabilities. This limitation on oversight is yet another bottleneck in the critical AppSec process.
Automation will reduce burdens on resources, further reduce the time to discovery and remediation of vulnerabilities, and offer a way to incorporate AppSec into the development pipeline. Automated discovery of code exercised during penetration testing will improve code coverage and vulnerability prioritization. Actionable reports on the status and progress of application security testing will provide insight and guidance to management, so managers and team leaders can properly direct the AppSec process.
S&T’s ASTAM project will bring automation to the largely manual application security process, providing continuous and scalable monitoring of security and compliance. ASTAM will develop several technologies as independent capabilities, including the following:
- Create Hybrid correlation of static and dynamic application security tests to reduce false-positives, identify highest priority vulnerabilities and expose attack surfaces;
- Automate pre-seeding of Dynamic Application Security Testing (DAST) penetration testing tools to provide a more complete picture of a web application’s attack surface;
- Automate threat modeling to rapidly identify application design weaknesses and assess new threats;
- Automate penetration testing within automatically constructed, safe virtual environments;
- Automate code coverage analysis for use in real-time penetration testing for automatic detection and visualization of coverage information while tests are being conducted;
- Advance application security testing orchestration—a unified management interface for automating the workflow of Static Application Security Testing (SAST) and DAST tools;
- Automate triage assistant that accelerates human-intensive application security triage through the use of machine learning;
- Develop unified dashboards for presentation of application security metrics, statuses and trends; and
- Combine network and application security vulnerabilities into a single consolidated view to inform cybersecurity risk assessment.
Secure Decisions (Prime): Applied Visions Inc., Secure Decisions Division (dba Secure Decisions) is the prime contractor for ASTAM. Secure Decisions is the overall technical lead for ASTAM and leads the Hybrid Analysis and Mapping activity with the Denim Group, supports Denim in the DAST pre-seeding technical area, supports AITEK in the Attack Threat Modeling (ATM) technical area, supports Siege Technologies in the attack automation technical area, and leads the application security metrics analysis, reporting and visual presentation technical area.
The Denim Group: The Denim Group’s primary focus is on hybrid analysis, building on the Hybrid Analysis and Mapping (HAM) capability it developed under a previous DHS contract. The company is expanding SAST and DAST support to include additional languages and frameworks and increasing reliability and accuracy of existing functionality. Denim also has developed a pre-seeding DAST penetration tool capability that helps to increase the testing coverage of a web application.
AITEK, Inc.: AITEK focuses on the ATM element of ASTAM. It is working to develop a web-based framework to describe applications, capture their metadata, vulnerabilities and other attributes, and identify potential attacks and which lines of source code a hacker likely will target.
Siege Technologies: Siege Technologies focuses on the attack simulation and automation elements of ASTAM. Its objective is to provide organizations the ability to continuously conduct penetration testing and application red-teaming throughout the software development lifecycle. Working with Secure Decisions, the company is open-sourcing an automated penetration testing capability and automating the testing for eight security tests recommended by the Open Web Application Security Project.
The following open-source tools developed by the ASTAM project:
ASTAM Correlator: A vulnerability consolidation and management tool, the ASTAM Correlator enhances scan results by merging different instances of the same weakness across multiple static/dynamic scans.
Pen Test Automation (PTA): The PTA is a framework for automating penetration testing using a plugin-based architecture.
ESM-7: ESM-7 is a convenience wrapper around the sqlmap SQL injection tool that enhances its automation processes.
Crydra-16: Crydra is a convenience wrapper around the Hydra brute force password cracking tool that enhances the tool’s automation.
Xssmap: An intelligent XSS detection tool, Xssmap uses human techniques to identify reflected cross-site scripting (XSS) vulnerabilities.