Difference between revisions of "OWASP AppSec DC 2012/Understanding IAST More Context Better Analysis"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAutomated tools for application security are eit...")
 
(The Speakers)
 
(2 intermediate revisions by one user not shown)
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results.  Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.
+
Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results.  Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.
 
== The Speakers  ==
 
== The Speakers  ==
Jeff Williams
+
<table>
 +
<tr>
 +
<td>
 +
===Jeff Williams===
 +
[[Image:AppSecDC12-Williams.jpg|left]]As a pioneer in the software development and security field, Jeff Williams is one of the world's foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law.
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Latest revision as of 09:55, 22 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.

The Speakers

Jeff Williams

AppSecDC12-Williams.jpg
As a pioneer in the software development and security field, Jeff Williams is one of the world's foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law.

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg