Secure Decisions, a division of Applied Visions, Inc. and a leader in cyber security research, has developed a new application security testing technology, the Attack Surface Detector, that enhances software penetration testing.
Developed under the Department of Homeland Security Science and Technology Directorate’s multi-year Application Security Technologies and Metrics program, ASD helps penetration testers by automating discovery of a web application’s hidden endpoints and optional parameters, identifying gaps in an application’s visible attack surface.
Automated penetration testing, a popular method to identify exploitable vulnerabilities in a web application, often fails to identify unlinked endpoints and optional parameters. This leaves untested gaps in an application’s visible attack surface. Relying on manual penetration testing to identify gaps is time-consuming and costly. It does not guarantee complete identification of an application’s attack surface, leaving an application vulnerable despite a pen tester’s best effort to secure it.
The open source ASD plugin tool helps solve this. It is available as a standalone command line interface and as plugins for the Burp Suite (from Portswigger) and OWASP ZAP Dynamic Application Securing Testing tools. ASD provides a complete picture of a web application’s attack surface by examining the source code via static analysis, finding hidden or unlinked endpoints, and identifying their optional parameters and data types often missed by most DAST scanners. These are then used to pre-seed the Burp Suite and OWASP ZAP scanner tools, making testing faster and more productive.
“A hacker has all the time in the world to poke and prod an application, and only needs to find one vulnerability to compromise sensitive data and leave your application at their mercy,” said Matt DeLetto, Secure Decisions Security Software Engineer. “So, it’s important to thoroughly identify the application’s attack surface. The ASD can help pen testers do just that.”
In a recent case study, CREST-certified penetration testers analyzed the same code base with and without ASD, and compared results. They reported time savings of 4-6 hours compared to the time it would take to perform the task manually.
ASD can detect endpoints in such a way that the owner of the software IP can provide the endpoint information to independent testers without providing the source code for static analysis, protecting their IP while delivering the benefits of a thorough pen test.
The Attack Surface Difference Generator compares different versions of an application and highlights changes in endpoints between the versions, allowing pen testers to focus their testing only on the modified code.
“The value of this tool is clear,” said Brianne O’Brien, Secure Decisions Program Manager for ASTAM. “Reduced pen testing effort through automation and enhanced attack surface coverage equals time and cost savings. Through the ASTAM program we strive to build effective application security tools like ASD that can be used to improve the security posture of web applications, and reduce an organization’s security risk.”