Code Pulse: Real-time code coverage for penetration testing activities

A continuous challenge facing software penetration testers is ensuring adequate coverage of a target application. Many dynamic application security testing tools and manual pen-testing techniques test only part of the exposed code base, leaving much of the attack surface untested. A purely black box approach, used by most DAST tools, makes it almost impossible to accurately identify how much of the attack surface of an application was tested for penetration during assessment. Glass box testing techniques, as described in this paper, significantly improve the insight that penetration testers have into the coverage and makeup of the applications they are targeting. This paper reports on DHS-funded research which resulted in an innovative open source tool called Code Pulse that provides real-time code coverage for pen-testing Java web applications. Code Pulse leverages the Java instrumentation libraries to provide a real-time glass box perspective of method calls as they are exercised during security testing activities. While the concept of glass box testing is not new, Code Pulse delivers a novel real-time approach to the challenge while maintaining a tool-agnostic approach. In this paper we will outline the code coverage challenges facing penetration testers, describe the state-of-the-art in software assurance code coverage, the innovative aspects of our approach and its contribution to the state-of-the-art, the feedback we have received since releasing it as an Open Web Application Security Project (OWASP) pen-testing application in May 2014, and the planned improvements to Code Pulse.