Testability Patterns for Web Applications - a new OWASP project

The presentation discusses the challenges of using commercial and open source tools for static analysis of code vulnerabilities and proposes a framework for improving the effectiveness of such tools.

• Commercial and open source tools for static analysis of code vulnerabilities have limitations in detecting all vulnerabilities
• The presented framework involves using patterns and discovery rules to improve the effectiveness of static analysis tools
• Transformation experiments were conducted to improve the testability of patterns
• The framework can be improved by adding custom rules and integrating other open source tools
• The community is invited to contribute to the project and help improve the framework

The presenter shared that even the most performant tool had an obstacle every 200 lines of code, which can be a significant challenge for developers. To address this, the team conducted experiments to transform patterns and improve the testability of vulnerabilities. They found that by using discovery rules and applying the transformed patterns, they were able to discover over 9,000 new vulnerabilities in more than 3,000 applications. The presenter emphasized the importance of community involvement in improving the framework.

Motivated by our promising research results (see anonymized attached document), also presented at OWASP AppSec last year, and by their successful initial evaluation in industrial settings, we have just started a new OWASP project to make our Testability Patterns for Web Applications consumable to and improvable by the entire community. In this presentation, we will present the goals of our OWASP project and the importance of the testability dimension for the security and privacy of Web Applications. We will showcase our approach in the context of Static Application Security Testing (SAST). First, we will present with concrete examples what testability patterns for SAST are and how they impede the ability of state-of-the-art SAST tools to analyze web application code. Second, we will present our open source framework to operate these patterns. The framework allows for evaluating SAST tools against the testability patterns so to know which patterns are problematic for which tool. The framework also allows the discovery of patterns within web applications source code so to make developers aware of which code areas will be problematic for SAST. Third, we will introduce the three main targeted audience groups: web developers, SAST tool developers, and security central teams. For each one of these groups, we will clarify which added-values these SAST patterns provide and how that group can join our project community and contribute to create and mature testability patterns. Last, but not least, we will expose the plan for our OWASP project.