The relevance. The entry level of attackers is the application. Each application has vulnerability in cases that we are currently observed. Companies waste money on ineffective Pentest audits, which aren't effective, against which they order a system that can find and resolve all vulnerabilities. Even the largest companies have poor quality and security of source code [1].
The scientific novelty. The existing approaches through the use of manual auditing are too outdated, but the approach of Static Code AST is the most modern way to do this. This product will adhere to modern application security standards, as well as be able to flexibly customize the functionality for the task set by the company and the platform on which this product will be used, and integration tools. There are only a few vendors offer tools for static code analysis tools. It's easy to implement, to add a static scanner to your development pipeline and provide feedback on a potential problem.
The prepared scientific work from our team is aimed at testing application security, but we don't want to limit ourselves to SAST, or other AST. We want to present a product near to ASTO -Application security testing orchestration. Main goal of this scientific work is to provide a comprehensive protection by scanning applications for vulnerabilities, starting from static scanning, and ending with other types of scanning. Integration with software development life cycle gives needed efficiency of product, it also includes analytics of the scans. [2] Process of testing code will be delegated by modules starting from SAST -static scanning code on vulnerabilities by white box testing, source code will be scanned by parsers, and scanners. SAST, it's a very old and stable type of scan, it takes responsibility for undeclared possibilities. Our SAST will employ predetermined rules, such as coding errors in the source code that must be corrected. Idea of SAST is to scan but not to start or run it. Use of opensource vulnerabilities databases will increase efficiency, and time by time, for example if some critical vulnerability will born into world, and start to infect all computers, our solution will send update to servers to find and destroy this type of vulnerabilities, or use WAF, IDS, IPS system to close this gateway before vulnerability can be used to hack to system, so it's update, upgrade and control system [3].
At the final stage a system engine will be used that will work by list of vulnerabilities to find false positives and delegate them. It will be very useful for security officers who have not so much time to look at each vulnerability every time.
Profit of a scientific work product that is not framed by method of scanning application, will give effort in Kazakhstan, and worldwide against other big solutions in the market. Against comparison of other product, it will have more efficiency and more possibilities to defense scientific work by the fact that it's complex solution that customer can buy and be sure about security safety of applications [4].
In addition to the main Django library, also used two libraries for the regex-based pattern matching -Libsast and Bandit. To implement the semantic analysis, the Semgrep libraries were used, which can only be used in the Linux environment [5]. For them, self-written various rules were independently written that meet the standards of modern actual vulnerabilities such as Log4J, NPM, etc. In order to ensure the smooth operation of users from the very beginning, it was necessary to design the login screen as intuitively as possible. This screen is usually the first step for the user when getting acquainted with the product, moreover, security is important when authenticating users.
The user interface has been designed to be user-friendly. The initial login page uses two-factor authentication and without the possibility of registration (determined by internal security protection purposes) in this case, using the product license, a regulated number of accesses is issued. The 2FA application of Google Code Authenticator works perfectly and it correctly uses the reading of the generated tokens corresponding to the generation on the server. In the case of corporate product development, there is a field input check, which will give the user, first of all, a convenient start with the platform [6].
The EternalSec user interface looks and works as familiar to most users. The navigation step structure on the left makes it easier to move inside the platform, for a more user-friendly functionality, the ability to switch to dark-mode has been developed [7]. The top panel displays information about the workspace or task selected in the left panel. Multiple users can simultaneously access the user interface through web browsers. In the same system-wide database, users have access to the same information details. The permissions provided to each user control access to tasks and objects. The home page can save the mode that the user prefers in a session variable. The view switches the mode that the user wants to use -in turn, the binding tag references this view to switch the css mode. Saving the user's theme in localStorage and every time the page loads, js-code is launched, which sets the css of the user's choice. To use the default theme, the information is stored in cookies and allows Django to deliver pages with the right theme instead of relying on js speed [8].
The Analytics section allows you to see basic statistics for all scans and compare the results of the analysis of the most common vulnerabilities. The about section provides a timeline and general information about the beginning of product development, and planned updates, so the user is always aware of the current status of the product.
ASTO starts SAST scan by request of the user from the web interface. Users send source code of file in ZIP, RAR format, with other information, for example, name, link to a git repository.
As a server, it takes this source code zip and adds it to our database field -"FileField", and creates a new repository, with a new scan. The status function here needs to track the status of scanning to show it to the user interface. Using zip libraries, it unpacks the src path to see the source code in the needed format.
By using thread function, the application can do scanning function in the thread with the daemon, the process of scanning is in parallel, it needs technical requirements for that, but it gives the best efficiency of the functionality [11]. Libraries that helped to build the scanner were: Bandit, Libsast, Semgrep, JSON.
In conclusion, to summarize the development of the ASTO scientific work, a web-based information system, and functions were created that will scan applications for information security, show how to solve issues and vulnerabilities, and determine the level and criticality of the application and be complex to customers.
In the technical part, a lot of work has been done to develop this product, various frameworks have been used like Django, tools like various packages, and libraries like libsast, bandit, and semgrep. More than 2-3 thousand lines of code have been written. Own rules for static and semantic analysis were written without being tied to a specific programming language, which makes this product crossplatform and allows it to be deployed both on Windows and Linux. The web interface also complies with all modern UI/UX design standards, providing a pleasant user experience and rich functionality. Existing resources have been extended by adding the necessary checks for their functionality.
This enterprise-level product is recommended for use in security departments of banks, regulators, as well as in integrator companies and software developers. Since this product is a modular orchestrator, it will be easy to customize it to the needs of the company, as well as integrate it into any stage of the development process.
As a result, we have a product that has assembled all the necessary things to ensure the information security of an application, and which economic efficiency is very positive. In the future, this product can compete with the current market leaders.