Skip to content

Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans

License

Notifications You must be signed in to change notification settings

secdec/astam-correlator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ASTAM Correlator

The ASTAM Correlator is a vulnerability consolidation and management tool for web applications, capable of correlating and merging different Static and Dynamic scans indicating the same vulnerability. This improves scan results by combining findings that are symptoms of the same weakness, providing:

  • More information on a vulnerability as a whole
  • Reduced duplicate vulnerabilities from multiple SAST/DAST scans

Supported Web Frameworks

The following frameworks are supported by the Correlator route detection process:

  • ASP.NET MVC / Web API / Core / Web Forms
  • Struts
  • Django
  • Ruby on Rails
  • Spring MVC
  • JSP

Referencing the Endpoint Detection HAM Module

The ASTAM Correlator HAM module for endpoint detection has been published to Maven. You can add it as a dependency by adding this to your pom.xml:

<dependency>
    <groupId>com.github.secdec.astam-correlator</groupId>
    <artifactId>threadfix-entities</artifactId>
    <version>1.3.8</version>
</dependency>
<dependency>
    <groupId>com.github.secdec.astam-correlator</groupId>
    <artifactId>threadfix-ham</artifactId>
    <version>1.3.8</version>
</dependency>

Documentation

Instructions for the usage and installation of the ASTAM Correlator can be found in this project's Wiki.

Contributors

This project is a modification of Denim Group's software ThreadFix, Community Edition, which provides the Hybrid Analysis Mapping (HAM) that runs the correlation. A collaboration between Denim Group Ltd., and Secure Decisions, a division of Applied Visions Inc., has improved upon the open-source ThreadFix tool with a focused interface and improved HAM capabilities.

The original ThreadFix project can be found here: https://github.com/denimgroup/threadfix


This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C.

About

Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published