Turn your black box into a glass box
Even when you’re doing the right thing (by that we mean testing your application’s security), it’s hard to tell what you’re actually checking. When you run an automated testing tool, you’re given a list of results at the end, and you have to trust that it’s tested as much as necessary (which is one of the reasons why we so strongly recommend using more than one tool). There really is no good way to quickly and easily track how much of your application’s attack surface has actually been tested—and how exposed some of it might be.
Code Pulse provides a straightforward, visual illustration of your application’s attack surface, and how your penetration testing interacts with it. Even better, it functions in real-time, while your application is active, so you can tell exactly what parts of your code are covered by the penetration test—and what parts aren’t.
Know your tools
It’s hard to know how well your tools work (or how they work). They’re all different, and some of them are better at some things than others. As a rule, tools don’t tell you what they don’t find, only what they do—if they did, then you’d never need more than one! Evaluating their performance is hard, especially the key measurement—coverage.
Code Pulse shows you exactly which parts of the application is covered by each tool, so you can see where there are overlaps—and, more importantly, where there are gaps. This helps you understand whether or not you need to add different tools to your testing process, or evaluate new ones for future projects. If you don’t know your tools, you can’t test well—and if you can’t test well, you definitely can’t secure your application.
Code Pulse key features
- Works in JVM environments
- Export your coverage map to share with your team
- Compare coverage across all of your tools
- Quickly see any code that hasn’t been tested
- See results of scan setting adjustments immediately
OWASP Code Pulse and Attack Surface Detector
Presentation by Ken Prole