Development System of Application Security Testing Abdul Razaque1, Saule Amanzholova1, Amir Akimbayev1, Emil Kovalenko1, and Dilnaz Ashimzhanova1 1 International Information Technology University, Manas St. 34/1, Almaty, 050040, Kazakhstan Abstract The main objective of the scientific work was to use theoretical and practical knowledge gained during studying at the university, as well as their further application in the development of a scientific work on the system of application security testing - AST. Various statistical data were collected on which products of this type are present on the world market, as well as on the market of Kazakhstan, analysis of the security of banks' web resources, and much more. Also, to achieve this goal, available resources associated with the algorithms of the work of statistical and dynamic analysis were studied, as well as piloting similar products from foreign vendors, which are activelyused in Kazakhstan banks. In this work, libraries and tools such as Django, Libsast, Bandit, Semgrep, and other dependencies were used. During the scientific work, a corporate-level web application was developed that scans and analyzes the repository of the downloaded application to further display statistics and a summary of the vulnerabilities found, as well as methods for solving them in a single JSON format. This scientific work is aimed at implementation in the banks of the Republic of Kazakhstan and its use by security departments and code review. Keywords AST, SAST, DAST, Django, Libsast, Bandit, code review, Semgrep, JSON1 1. Introduction The relevance. The entry level of attackers is the application. Each application has vulnerabilityin cases that we are currently observed. Companies waste money on ineffective Pentest audits, which aren't effective, against which they order a system that can find and resolve all vulnerabilities. Even the largest companies have poor quality and security of source code [1]. The scientific novelty. The existing approaches through the use of manual auditing are too outdated, but the approach of Static Code AST is the most modern way to do this. This product will adhere to modern application security standards, as well as be able to flexibly customize the functionality for the task set by the company and the platform on which this product will be used, and integration tools. There are only a few vendors offer tools for static code analysis tools. It’s easy to implement, to add a static scanner to your development pipeline and provide feedback on a potential problem. 2. Main part The prepared scientific work from our team is aimed at testing application security, but we don'twant to limit ourselves to SAST, or other AST. We want to present a product near to ASTO - Application security testing orchestration. Main goal of this scientific work is to provide a comprehensive Proceedings of the 7th International Conference on Digital Technologies in Education, Science and Industry (DTESI 2022), October 20-21, 2022, Almaty, Kazakhstan EMAIL: a.razaque@edu.iitu.kz (Abdul Razaque); s.amanzholova@iitu.edu.kz (Saule Amanzholova); 25106@edu.iitu.kz (Amir Akimbayev); kovv.emil@gmail.com (Emil Kovalenko); ashimzhanova00@mail.ru (Dilnaz Ashimzhanova) ORCID: 0000-0003-0409-3526 (Abdul Razaque); 0000-0002-6779-9393 (Saule Amanzholova) ©️ 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) protection by scanning applications for vulnerabilities, starting from static scanning, and ending with other types of scanning. Integration with software development life cycle gives neededefficiency of product, it also includes analytics of the scans.[2] Process of testing code will be delegated by modules starting from SAST - static scanning codeon vulnerabilities by white box testing, source code will be scanned by parsers, and scanners. SAST, it's a very old and stable type of scan, it takes responsibility for undeclared possibilities. Our SAST willemploy predetermined rules, such as coding errors in the source code that must be corrected. Idea of SAST is to scan but not to start or run it. Use of open- source vulnerabilities databases will increase efficiency, and time by time, for example if some critical vulnerability will born into world, and start toinfect all computers, our solution will send update to servers to find and destroy this type of vulnerabilities, or use WAF, IDS, IPS system to close this gateway before vulnerability can be used tohack to system, so it’s update, upgrade and control system [3]. Figure 1: Mechanism of SAST analysis At the final stage a system engine will be used that will work by list of vulnerabilities to find false positives and delegate them. It will be very useful for security officers who have not so much timeto look at each vulnerability every time. Profit of a scientific work product that is not framed by method of scanning application, will give effort in Kazakhstan, and worldwide against other big solutions in the market. Against comparisonof other product, it will have more efficiency and more possibilities to defense scientific work by the fact that it’s complex solution that customer can buy and be sure about security safety of applications [4]. 3. Technical implementation In addition to the main Django library, also used two libraries for the regex-based pattern matching - Libsast and Bandit. To implement the semantic analysis, the Semgrep libraries were used, which can only be used in the Linux environment[5]. For them, self-written various rules were independently written that meet the standards of modern actual vulnerabilities such as Log4J, NPM, etc. Figure 2: Example of B105 - hardcoded_password_string Custom Rule in Bandit Figure 3: Example of autoescape-disabled Custom Rule in Semgrep In order to ensure the smooth operation of users from the very beginning, it was necessary to design the login screen as intuitively as possible. This screen is usually the first step for the user when getting acquainted with the product, moreover, security is important when authenticating users. The user interface has been designed to be user-friendly. The initial login page uses two-factor authentication and without the possibility of registration (determined by internal security protection purposes) in this case, using the product license, a regulated number of accesses is issued. The 2FA application of Google Code Authenticator works perfectly and it correctly uses the reading of the generated tokens corresponding to the generation on the server. In the case of corporate product development, there is a field input check, which will give the user, first of all, a convenient start with the platform [6]. The EternalSec user interface looks and works as familiar to most users. The navigation step structure on the left makes it easier to move inside the platform, for a more user-friendly functionality, the ability to switch to dark-mode has been developed[7]. The top panel displays information about the workspace or task selected in the left panel. Multiple users can simultaneously access the user interface through web browsers. In the same system-wide database, users have access to the same informationdetails. The permissions provided to each user control access to tasks and objects. Figure 4: Dark/Light modes The home page can save the mode that the user prefers in a session variable. The view switchesthe mode that the user wants to use - in turn, the binding tag references this view to switch the css mode. Saving the user's theme in localStorage and every time the page loads, js-code is launched, which sets the css of the user's choice. To use the default theme, the information is stored in cookies and allows Django to deliver pages with the right theme instead of relying on js speed [8]. The Analytics section allows you to see basic statistics for all scans and compare the results of the analysis of the most common vulnerabilities. Figure 5: Dashboard Page 1. See the list — the most recent five scans are displayed, followed by a link to the Scans page, which contains the full list of scans; 2. View statistics of the number of scans, taking statuses of the average value for all past scans; 3. The number of vulnerabilities (taking into account the level of criticality); 4. View the load while scanning web applications to account for half connections in case of afailure. The Overview page provides the following information: • Scan duration; • Repository diagram in the form of a hierarchical tree; • A diagram with the number of vulnerabilities of each level of criticality in the scan; • Navigation menu. Figure 6: Scan information The vulnerabilities tab contains extended information about them, including default parameters (CWE, id, description, severity), classifications as links to relevant items in CWE, HIPAA, FSTEC database, OWASP, CWE/SANS Top 25, PCI DSS, taking into account the output on the right side of the processed file [9]. Figure 7: Scan vulnerabilities list The report page allows the user to upload data in the most readable form(.json), it was also taken into account that most often the internal security structure uses files of this type to select them in SIEM systems and scan signatures with machine code [10]. Figure 8: About Figure 9: Start scan structure The about section provides a timeline and general information about the beginning of product development, and planned updates, so the user is always aware of the current status of the product. ASTO starts SAST scan by request of the user from the web interface. Users send source codeof file in ZIP, RAR format, with other information, for example, name, link to a git repository. As a server, it takes this source code zip and adds it to our database field - “FileField”, and creates a new repository, with a new scan. The status function here needs to track the status of scanning to show it to the user interface. Using zip libraries, it unpacks the src path to see the sourcecode in the needed format. By using thread function, the application can do scanning function in the thread with the daemon, the process of scanning is in parallel, it needs technical requirements for that, but it gives the best efficiency of the functionality [11]. Libraries that helped to build the scanner were: Bandit, Libsast, Semgrep, JSON. Figure 10: Libsast structure Libsast library uses a pattern matcher to find vulnerabilities, this helps to scan any source code language and to increase functionality it uses python regex rule patterns to create custom patterns [12]. Manypopular scanners nowadays are based on the libsast library, for instance, njsscan, MobSF, etc. Results of libsast are based on a regex test of the given source code, it shows match lines, position, file path andresults can be fully customized by different options. It uses JSON format to output findings. Figure 11: Bandit structure Bandit library finds security vulnerabilities only in Python code, but it can be modified to increase the number of supported languages. Using the os system package helps to start a scan and track the process, and check the conditions that you should pay attention to. Results of bandit are based on a test of abstract syntax trees of given source code, it shows match lines, position, file path, level of confidence and severity, etc. It uses JSON format to output findings. Users see results by web interface in section vulnerabilities, and source code in the right grid with a window of code. Using section reports, users or analysts can download reports by format JSON from the response of request with the name of the scan in name of the file. Parser eternalsec_json was developed to use results from libraries in the product, and to add new features. Figure 12: Parser structure Figure 13: JSON structure Vulnerability structure is shown in Figure 13. It is based on python dictionaries. 4. Conclusion In conclusion, to summarize the development of the ASTO scientific work, a web-based information system, and functions were created that will scan applications for information security, show how to solve issues and vulnerabilities, and determine the level and criticality of the application and be complex to customers. In the technical part, a lot of work has been done to develop this product, various frameworks have been used like Django, tools like various packages, and libraries like libsast, bandit, and semgrep. More than 2-3 thousand lines of code have been written. Own rules for static and semantic analysis were written without being tied to a specific programming language, which makes this product cross- platform and allows it to be deployed both on Windows and Linux. The web interface also complies with all modern UI/UX design standards, providing a pleasant user experience and rich functionality. Existing resources have been extended by adding the necessary checks for their functionality. This enterprise-level product is recommended for use in security departments of banks, regulators, as well as in integrator companies and software developers. Since this product is a modular orchestrator, it will be easy to customize it to the needs of the company, as well as integrate it into any stage of the development process. As a result, we have a product that has assembled all the necessary things to ensure the information security of an application, and which economic efficiency is very positive. In the future, this product can compete with the current market leaders. 5. References [1] URL: https://www.vaadata.com/blog/pentest-statistics-and-most-frequent-vulnerabilities/. [2] Ranking.kz, Information security incident statistics, January 2021. URL: http://ranking.kz/ru/a/infopovody/kolichestvo-kiberatak-v-kazahstane-uvelichilos-pochti-v-3- raza-do- 3-tysyach-incidentov-90-iz-nih-prihoditsya-na-botnety. [3] Imperva, Application Security Testing, 2021. URL: https://www.imperva.com/learn/application- security/application-security- testing/#:~:text=Application%20security%20testing%20(AST)%20is,started%20as%20a%20ma nual%20process. [4] J. Garbajosa, X. Wang, Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital (2018) 24-48. [5] P. Johnson, What You Need To Know About Application Security Testing Orchestration, December 10, 2020. URL: https://www.mend.io/resources/blog/asto-application- security-testing- orchestration/. [6] C. Nabe, Impact of COVID-19 on Cybersecurity, 2021. URL: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html. [7] PT Application Inspector, official description. URL: https://www.ptsecurity.com/ru- ru/products/ai/. [8] SonarQube, official description. URL: https://www.sonarqube.org/. [9] Solar appScreener, official description. URL: https://rt-solar.ru/products/solar_appscreener/. [10] HCL AppScan, official description. URL: https://www.hcltech.com/brochures/software/hcl- appscan-standard. [11] Profit.kz, The number of cyberattacks in the Republic of Kazakhstan increased by 20% over the year, 8 July 2021. URL: https://profit.kz/news/61600/Kolichestvo-kiberatak-v-RK-viroslo-na-20- za-god/. [12] ZAO Deloitte & Touche CIS, Cyber risk assessment in banks of Kazakhstan by Deloitte on forum “Making an Impact That Matters, June 2021.