Aspect's Research and Development Labs
Aspect Security leads many research and development projects on the cutting edge of application security. We're working hard on the frontiers of application security so that we can offer our customers the best solutions to all of their application security problems. We also donate the majority of our research to OWASP where it is free and open for everyone to use. Our research spans all the aspects of a responsible application security program. There's a lot more to application security than attack tools. We're trying to help organizations really improve their ability to produce secure code. Find out more by downloading our tools and documents or reading our papers and presentations.
Foundation
We are working hard to arm developers with everything they need in order to produce secure applications. We're ready to help you draft contracts that make security and liability clear, coding standards that show your developers how use to use your architecture to "get security right", and policies that help you decide higher level application security rules. We have developed over a dozen different application security courses as part of our training program to educate your developers on how to avoid introducing application security problems in the first place. We can leverage our vast collection of application security intellectual property to help you in a number of different ways.
Implementation
Aspect has always focused more on defensive research in order to provide the best support to our enterprise clients who are dealing with a relentless barrage of cutting edge attacks. Our research has encompassed all of the stages of the software development lifecycle. Aspect has created advanced enterprise security controls (ESAPI, AntiSamy, and CSRFGuard), advanced testing controls (JSP Testing Tool), a maintenance-phase IDS API (AppSensor), and more. Aspect has also researched the software development process holistically to help identify root causes of application security problems in different lifecycle types. Aspect's whitepaper on writing secure applications in the Agile lifecycle was one of the first forays into how to install security into this fast-moving process without compromising the speed of this popular development process.
Verification
Our research involves finding new verification techniques, improving existing techniques, automating testing, and discovering vulnerabilities in commonly used software. Our innovative, hybrid analysis techniques allow us to find vulnerabilities from all perspectives. Aspect has published multiple white papers on new verification techniques including file download injection and method tampering. Our engineers are continually working to create new and improved manual and dynamic testing techniques. Aspect has invested heavily in human-aid tools like WebScarab and CSRFTester. We have also developed multiple static analysis tools strictly for internal use in analyzing customer applications. Because of our experience and knowledge in this domain, we work closely with static code analysis vendors in order to make sure they are the best tools they can possibly be. Recently we released JavaSnoop, an innovative new way of testing thick Java clients.
Management
We've invested heavily in creating new ways to help organizations manage their application security portfolio with better technology. The result of our research is a one of a kind software service that allows our customers to gain that hard to attain visibility into their application security program at all scales. Our software also uses metrics and trends to identify root causes and other actionable information that every application security program manager must have.