OWASP AppSec DC 2012/Understanding IAST More Context Better Analysis

The Presentation
Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.

The Speakers
Jeff Williams