The main objective of the scientific work was to use theoretical and practical knowledge gained during studying at the university, as well as their further application in the development of a scientific work on the system of application security testing - AST. Various statistical data were collected on which products of this type are present on the world market, as well as on the market of Kazakhstan, analysis of the security of banks' web resources, and much more. Also, to achieve this goal, available resources associated with the algorithms of the work of statistical and dynamic analysis were studied, as well as piloting similar products from foreign vendors, which are activelyused in Kazakhstan banks. In this work, libraries and tools such as Django, Libsast, Bandit, Semgrep, and other dependencies were used. During the scientific work, a corporate-level web application was developed that scans and analyzes the repository of the downloaded application to further display statistics and a summary of the vulnerabilities found, as well as methods for solvingthem in a single JSON format. This scientific work is aimed at implementation in the banks of the Republic of Kazakhstan and its use by security departments and code review.
The relevance. The entry level of attackers is the application. Each application has vulnerabilityin
cases that we are currently observed. Companies waste money on ineffective Pentest audits, which
aren't effective, against which they order a system that can find and resolve all vulnerabilities. Even the
largest companies have poor quality and security of source code [
The scientific novelty. The existing approaches through the use of manual auditing are too outdated, but the approach of Static Code AST is the most modern way to do this. This product will adhere to modern application security standards, as well as be able to flexibly customize the functionality for the task set by the company and the platform on which this product will be used, and integration tools. There are only a few vendors offer tools for static code analysis tools. It’s easy to implement, to add a static scanner to your development pipeline and provide feedback on a potential problem.
The prepared scientific work from our team is aimed at testing application security, but we don'twant to limit ourselves to SAST, or other AST. We want to present a product near to ASTO - Application security testing orchestration. Main goal of this scientific work is to provide a comprehensive Proceedings of the 7th International Conference on Digital Technologies in Education, Science and Industry (DTESI 2022), October 20-21,
2022 Copyright for this paper by its authors.
protection by scanning applications for vulnerabilities, starting from static scanning, and ending with
other types of scanning. Integration with software development life cycle gives neededefficiency of
product, it also includes analytics of the scans.[
At the final stage a system engine will be used that will work by list of vulnerabilities to find false positives and delegate them. It will be very useful for security officers who have not so much timeto look at each vulnerability every time.
Profit of a scientific work product that is not framed by method of scanning application, will give
effort in Kazakhstan, and worldwide against other big solutions in the market. Against comparisonof
other product, it will have more efficiency and more possibilities to defense scientific work by the fact
that it’s complex solution that customer can buy and be sure about security safety of applications [
In addition to the main Django library, also used two libraries for the regex-based pattern matching
- Libsast and Bandit. To implement the semantic analysis, the Semgrep libraries were used, which can
only be used in the Linux environment[
In order to ensure the smooth operation of users from the very beginning, it was necessary to design the login screen as intuitively as possible. This screen is usually the first step for the user when getting acquainted with the product, moreover, security is important when authenticating users.
The user interface has been designed to be user-friendly. The initial login page uses two-factor
authentication and without the possibility of registration (determined by internal security protection
purposes) in this case, using the product license, a regulated number of accesses is issued. The 2FA
application of Google Code Authenticator works perfectly and it correctly uses the reading of the
generated tokens corresponding to the generation on the server. In the case of corporate product
development, there is a field input check, which will give the user, first of all, a convenient start with
the platform [
The EternalSec user interface looks and works as familiar to most users. The navigation step
structure on the left makes it easier to move inside the platform, for a more user-friendly functionality,
the ability to switch to dark-mode has been developed[
The home page can save the mode that the user prefers in a session variable. The view switchesthe mode that the user wants to use - in turn, the binding tag references this view to switch the css mode. Saving the user's theme in localStorage and every time the page loads, js-code is launched, which sets the css of the user's choice. To use the default theme, the information is stored in cookies and allows
1. See the list — the most recent five scans are displayed, followed by a link to the Scans page, which contains the full list of scans; 2. View statistics of the number of scans, taking statuses of the average value for all past scans; 3. The number of vulnerabilities (taking into account the level of criticality); 4. View the load while scanning web applications to account for half connections in case of afailure.
The Overview page provides the following information: • Scan duration; • Repository diagram in the form of a hierarchical tree; • A diagram with the number of vulnerabilities of each level of criticality in the scan; • Navigation menu.
The vulnerabilities tab contains extended information about them, including default parameters
(CWE, id, description, severity), classifications as links to relevant items in CWE, HIPAA, FSTEC
database, OWASP, CWE/SANS Top 25, PCI DSS, taking into account the output onthe right side of
the processed file [
The report page allows the user to upload data in the most readable form(.json), it was also taken
into account that most often the internal security structure uses files of this type to select themin SIEM
systems and scan signatures with machine code [
The about section provides a timeline and general information about the beginning of product development, and planned updates, so the user is always aware of the current status of the product.
ASTO starts SAST scan by request of the user from the web interface. Users send source codeof file in ZIP, RAR format, with other information, for example, name, link to a git repository.
As a server, it takes this source code zip and adds it to our database field - “FileField”, and creates a new repository, with a new scan. The status function here needs to track the status of scanning to show it to the user interface. Using zip libraries, it unpacks the src path to see the sourcecode in the needed format.
By using thread function, the application can do scanning function in the thread with the daemon,
the process of scanning is in parallel, it needs technical requirements for that, but it gives the best
efficiency of the functionality [
Libsast library uses a pattern matcher to find vulnerabilities, this helps to scan any source code
language and to increase functionality it uses python regex rule patterns to create custom patterns [
Bandit library finds security vulnerabilities only in Python code, but it can be modified to increase the number of supported languages. Using the os system package helps to start a scan and track the process, and check the conditions that you should pay attention to. Results of bandit are based on a test of abstract syntax trees of given source code, it shows match lines, position, file path, level of confidence and severity, etc. It uses JSON format to output findings. Users see results by webinterface in section vulnerabilities, and source code in the right grid with a window of code. Using section reports, users or analysts can download reports by format JSON from the response of request with the name of the scan in name of the file.
Parser eternalsec_json was developed to use results from libraries in the product, and to add new features.
In conclusion, to summarize the development of the ASTO scientific work, a web-based information system, and functions were created that will scan applications for information security, show how to solve issues and vulnerabilities, and determine the level and criticality of the application and be complex to customers.
In the technical part, a lot of work has been done to develop this product, various frameworks have been used like Django, tools like various packages, and libraries like libsast, bandit, and semgrep. More than 2-3 thousand lines of code have been written. Own rules for static and semantic analysis were written without being tied to a specific programming language, which makes this product crossplatform and allows it to be deployed both on Windows and Linux. The web interface also complies with all modern UI/UX design standards, providing a pleasant user experience and rich functionality. Existing resources have been extended by adding the necessary checks for their functionality.
This enterprise-level product is recommended for use in security departments of banks, regulators, as well as in integrator companies and software developers. Since this product is a modular orchestrator, it will be easy to customize it to the needs of the company, as well as integrate it into any stage of the development process.
As a result, we have a product that has assembled all the necessary things to ensure the information security of an application, and which economic efficiency is very positive. In the future, this product can compete with the current market leaders.