Difference between revisions of "OWASP AppSec DC 2012/Dynamic DASTWAF Integration"

From OWASP
Jump to: navigation, search
(added bio)
 
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]The concept of dynamic application scanning testing (DAST) exporting data that is then imported into a web application firewall (WAF) for targeted remediation is not new.  While this concept is certainly attractive to show risk reduction and reducing the time-to-fix metric, it is important to realize that you are not constrained to a "one way" data flow. WAFs have access to a tremendous amount of information that it can share with DAST to aid in application coverage and initiating on-demand assessments of new or change resources.  This presentation will highlight how DASTs and WAFs can achieve a synergistic effect by dynamically sharing data.  During the presentation, a working integration between the Arachni web application security scanner framework and the ModSecurity web application firewall will be presented.
+
The concept of dynamic application scanning testing (DAST) exporting data that is then imported into a web application firewall (WAF) for targeted remediation is not new.  While this concept is certainly attractive to show risk reduction and reducing the time-to-fix metric, it is important to realize that you are not constrained to a "one way" data flow. WAFs have access to a tremendous amount of information that it can share with DAST to aid in application coverage and initiating on-demand assessments of new or change resources.  This presentation will highlight how DASTs and WAFs can achieve a synergistic effect by dynamically sharing data.  During the presentation, a working integration between the Arachni web application security scanner framework and the ModSecurity web application firewall will be presented.
 
== The Speakers  ==
 
== The Speakers  ==
Ryan Barnett
+
<table>
 
+
<tr>
Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Research Team where he specializes in web application defense.  He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.
+
<td>
 +
===Ryan Barnett===
 +
[[Image:AppSecDC12-Ryan_Barnett.jpg|left]]Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Research Team where he specializes in web application defense.  He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.
 
Twitter account - @ryancbarnett
 
Twitter account - @ryancbarnett
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Latest revision as of 20:01, 11 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

The concept of dynamic application scanning testing (DAST) exporting data that is then imported into a web application firewall (WAF) for targeted remediation is not new. While this concept is certainly attractive to show risk reduction and reducing the time-to-fix metric, it is important to realize that you are not constrained to a "one way" data flow. WAFs have access to a tremendous amount of information that it can share with DAST to aid in application coverage and initiating on-demand assessments of new or change resources. This presentation will highlight how DASTs and WAFs can achieve a synergistic effect by dynamically sharing data. During the presentation, a working integration between the Arachni web application security scanner framework and the ModSecurity web application firewall will be presented.

The Speakers

Ryan Barnett

AppSecDC12-Ryan Barnett.jpg
Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Research Team where he specializes in web application defense. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.

Twitter account - @ryancbarnett


Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg