Software Assurance & Security Research - Application Security Testing

Application Security Testing (*AST) is a corner stone of secure software development or a Security Development Life Cycle (SDLC). To improve the efficiency and effectiveness of security testing we research on hybrid approaches: combining dynamic, static, and interactive testing as well as testing of hybrid applications.

Application Security Testing

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) as well as more recently Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) are widely used to improve the security of software products [1]. In fact, they are a corner stone of a comprehensive security testing strategy [2]. While we, in the context of HOL-TestGen, we also work on (formal) model-based security testing approaches, we also work on more applied Dynamic and Static Code Analysis (DASCA) topics. In particular, we research hybrid application security testing approaches. Here, hybrid refers both to combining static, dynamic, and interactive security testing approaches as well as approaches target the security of hybrid or polyglot applications (i.e., applications written in multiple programming languages). As another line of research, and as a key-enabler for successful software security programs in SecDevOps and Cloud-development scenarios, we are interested in approaches combining application security testing and runtime self-protection.

Implementation

A first prototypical implementation of our analysis for hybrid Android apps is available as free software in our git repository.

Important Publications

[1]

A. D. Brucker and U. Sodan, “Deploying static application security testing on a large scale,” in GI sicherheit 2014, Mar. 2014, vol. 228, pp. 91–101.

[2]

R. Bachmann and A. D. Brucker, “Developing secure software: A holistic approach to security testing,” Datenschutz und Datensicherheit (DuD), vol. 38, no. 4, pp. 257–261, Apr. 2014, doi: 10.1007/s11623-014-0102-0.

[3]

M. Felderer, M. Büchler, M. Johns, A. D. Brucker, R. Breu, and A. Pretschner, “Security testing: A survey,” Advances in Computers, vol. 101, pp. 1–51, Mar. 2016, doi: 10.1016/bs.adcom.2015.11.003.

[4]

A. D. Brucker and M. Herzberg, “On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 72–88. doi: 10.1007/978-3-319-30806-7_5.

[5]

S. Dashevskyi, A. D. Brucker, and F. Massacci, “A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi: 10.1109/TSE.2018.2816033.