Zerosource CLI Tool for Attack Surface Detection via Static Source Code Analysis

Host Organisation - Zerosource

Zerosource is an Australian owned and run team that conducts penetration testing, software assurance and strategy and advice consulting company.

Zerosource specialises in application security (AppSec) and DevSecOps and strives to ensure businesses build and maintain secure applications and protect their software and infrastructure.

https://www.zerosource.io/

Internship Project Description

The objective of the Attack Surface Detection project is to develop a cybersecurity tool that can be run via a command-line interface (CLI) written in Python that can scan the source code of applications and other code bases and extract any API endpoints, URLs, or routes to assist with attack surface management and reporting.

The Attack Surface Detection via static code Analysis Tool (ASDAT) will generate a JSON report for each code file picked up by Semgrep. This JSON format is designed for machine readability, so results can be fed into other tools such as Burp suite for further analysis.

Learning Opportunities

Throughout the internship, there were countless opportunities for me to learn/try new skills, gain new experiences, and work alongside others in a fast paced environment.

Working directly with project stakeholders, daily (2 working days) standup with the team, deploying and learning new technologies such as Docker, or building more resilient Python code, were all opportunities that I was able to take advantage of.

Key Learnings

Skills

Working on ASDAT came with countless challenges, but has allowed me to develop and improve on a number of skills, including:

Semgrepp

Working on this project, I was first tasked with coming up with a solution or approach to scan source code repositories for API endpoints, URLs, or routes. After some research, I came across Semgrep, a static analysis tool that can be used to scan source code for security vulnerabilities or any other patterns or rules that you can come up with. Custom rules can be easily configured and written in the Semgrep YAML format https://semgrep.dev/docs/writing-rules/overview/ for the countless supported languages https://semgrep.dev/docs/writing-rules/rule-syntax/.

Being exposed to Semgrep shows the potential of the limitless potential of static analysis tools and how they can be used to automate and improve the security of applications and code bases. The main takeaways from my brief use of Semgrep are, with the proper setup and the creation of more robust and comprehensive rulesets, could result in the ASDAT tool being expanded to be used for more than just attack surface detection, but also for general security vulnerability detection.

This level of automation and integration of security tools into the development process is the future of DevSecOps and is something that I am very interested in and will continue to learn more about.

https://semgrep.dev/

Python Unittest

Having never properly written or used unit tests in Python before, this was a good learning experience. Having come from languages such as Java and JUnit testing, Python unit tests were fairly easy to pick up.

The main takeaways from this experience are the importance of writing unit tests and how they can be used to ensure that code is working as expected and to prevent un-intended side effects or issues. Experiencing firsthand how effective test cases are in ensuring and maintaining expected code functionality throughout multiple or complex code changes where test cases caught issues with new code paths, or when tests were added as issues/bugs were addressed to ensure they are not re-introduced at any point afterwards.

https://docs.python.org/3/library/unittest.html

PyInstaller

Having never used PyInstaller, this was a new tool. This was used extensively when working with stakeholders (aka project supervisors) when figuring out the best way to deploy the tool. PyInstaller was used to create a single executable file that can be run on any system without the need for Python or any other dependencies to be installed. This was later coupled with Docker (more below) to create a deployment flow that can be specifically tailored to the needs to each client and for sand boxing executions.

Before being told about this tool when talking with supervisors, I did not know such a platform for Python existed. This was a great learning experience and has shown me the potential of Python and how it can be used to create cross platform applications in the future.

https://pyinstaller.org/en/stable/

Docker

Having used Docker before, this was a good opportunity to learn more about Docker and how it can be used to create a deployment flow that can be specifically tailored to the needs to each client and for sand boxing executions.

The Dockerfile would create images by first running PyInstaller on the repository to create a single executable in the output directory. This is then copied into the Docker file system, and is then executed via the Dockerfile via a CMD directive.

This was also a learning experience as I was unable to properly get a full source code directory copied into a dockerfile, but my supervisors were able to point out that Docker volume mapping exists via the -v flag, which allows dynamic mapping of the source code repository to be mapped to a set directory in the Docker container, allowing for easy configuration within the Dockerfile.

https://www.docker.com/

Experience

Working with stakeholders

Working closely with stakeholders expanded my knowledge and experience, and provided me to opportunity to learn from others and gain valuable insights into the industry and how things work in the real world, building on top of my experiences in my current software engineering job, other internships, and university courses.

Technical documentation and presentation

Having to fully document code (Docstrings), create confluence pages on all the functionality of the tool, how to maintain it, add new features/language support to the tool, how to deploy it, and many other small details really shows the importance of technical documentation and how it can be used to ensure that others can easily understand and use the tool.

Just because you can read and understand the code/documentation you write doesn't mean others will or won't have questions due to a lack of context which you have when writing it. This is something that I will continue to improve on and develop over time.

Achievements

The ASDAT CLI tool performed well in internal testing and on testing repositories, being able to detect various API endpoints, URLs, or routes in a number of repositories. The tool was also able to be deployed via Docker and PyInstaller, allowing for easy deployment and execution on any system.

Following further work, cleanup and testing, the tool will begin to get rolled out to staff to use during engagements and will be used to assist with attack surface management and reporting, as well as saving time and effort for the team, with the end goal of allowing Zerosource to perform better code reviews and security assessments, leading to better overall security for clients.

Internship Takeaways

Internships provide a great opportunity to gain valuable experience and insights into the industry and how things work in the real world, building on top of experiences in current software engineering jobs, other internships, and university courses. I've been very fortunate to have been exposed to multiple internships, student accelerator programs, and other opportunities that have allowed me to see and experience the industry and how things work in the real world.

Big thanks to the team at Zerosource for the opportunity to intern there and for all the support and guidance throughout the internship.

LinkedIn Post + COMP3820 poster on showcase at the ANU Computing Showcase on the 1nd of November 2023.