Automated vs. Manual Security: You can't filter The Stupid

Revision as of 15:35, 3 August 2009 by Jeremy.long (Talk | contribs)

Jump to: navigation, search

The presentation

Owasp logo normal.jpg
Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn't going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real- world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques. Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect.

The speakers

David Byrne has worked in information security for almost a decade. Currently, he is a consultant in Trustwave's Application Penetration Testing group. Before Trustwave, David was the Security Architect at Dish Network. In 2006, he started the Denver chapter of OWASP. In 2008, he released Grendel (, an open source web application security scanner. David has presented at a number of security events including DEFCON, Black Hat, Toorcon, FROC, and the Computer Security Institute's annual conference.

Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.