Difference between revisions of "The Strengths of Combining Code Review with Application Penetration Testing"

From OWASP
Jump to: navigation, search
(The speaker)
 
(One intermediate revision by one user not shown)
Line 5: Line 5:
 
== The presentation  ==
 
== The presentation  ==
  
[[Image:Owasp_logo_normal.jpg|right]]The strengths of manual code review in findings vulns (using the Top 10 as the categories)
+
[[Image:Owasp_logo_normal.jpg|right]]
 +
This presentation describes the strengths and benefits of combining code analysis with application penetration testing during the assessment of the security of an application. It specifically covers the following:
  
* The strengths of manual pen testing in findings vulns (against Top 10)
+
* The strengths of manual code review in findings vulnerabilities (using the Top 10 as the categories)
 +
* The strengths of manual pen testing in findings vulnerabilities (against Top 10)
 
* How each technique can leverage the other.
 
* How each technique can leverage the other.
* How proving vulns can be important, but not really in a mature org
+
* How proving a vulnerability can really be exploited can be important, but not really in a mature organization
* The massive benefit of finding where the vulns are in the CODE, not just finding the flaws in the application
+
* The massive benefit of finding where the vulnerabilities are in the CODE, not just finding out how to exploit the application
 
* How tracking down a penetration testing finding to where the flaw is in the actual code can be EXTREMELY hard
 
* How tracking down a penetration testing finding to where the flaw is in the actual code can be EXTREMELY hard
* Potentially some discussion on the role of automated analysis tools (both code and external scanning) and their strengths
+
 
* An how automated analysis tools can support a more efficient application security assessment process, when combined with manual analysis
+
The final presentation can be found [https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CDwQFjAC&url=https%3A%2F%2Fwww.owasp.org%2Fimages%2F7%2F79%2F2010-DC_The_Power_of_Code_Review.pptx&ei=MfVGT5n9IqfL0QGrvdCwDg&usg=AFQjCNGSPcZHw3Mq0wU_jGsyqKDXngEIQg here]
 +
 
 +
And a video of the talk [http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEgQtwIwBA&url=http%3A%2F%2Fvimeo.com%2F19104928&ei=MfVGT5n9IqfL0QGrvdCwDg&usg=AFQjCNE0sO98tRCV-T5Cx1_4JaQPUN071A here]
  
 
== The speaker  ==
 
== The speaker  ==

Latest revision as of 21:34, 23 February 2012

468x60-banner-2010.gif

Registration | Hotel | Walter E. Washington Convention Center

The presentation

Owasp logo normal.jpg

This presentation describes the strengths and benefits of combining code analysis with application penetration testing during the assessment of the security of an application. It specifically covers the following:

  • The strengths of manual code review in findings vulnerabilities (using the Top 10 as the categories)
  • The strengths of manual pen testing in findings vulnerabilities (against Top 10)
  • How each technique can leverage the other.
  • How proving a vulnerability can really be exploited can be important, but not really in a mature organization
  • The massive benefit of finding where the vulnerabilities are in the CODE, not just finding out how to exploit the application
  • How tracking down a penetration testing finding to where the flaw is in the actual code can be EXTREMELY hard

The final presentation can be found here

And a video of the talk here

The speaker

Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services.

As a volunteer to OWASP, Dave is:

Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.