This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

FROC2010 Abstract Byrne

Jump to: navigation, search

The Presentation: "Anatomy of a Logic Flaw"

Traditional vulnerabilities like SQL Injection, buffer overflows, etc, have well established techniques for discovery and prevention. On the other hand, logic flaws are incredibly diverse and often unique to the specific application or business organization. Because of this, logic flaws have taken on a near mythical status. In the myth, logic flaws are nearly impossible to find until the elite of the elite hackers launch an attack to completely own the application.

The reality is far different; logic flaws are not the complex nightmare that many have made them out to be. This presentation will use real-world examples to show how logic flaws are typically introduced into an application, how they can be consistently detected during testing, and how they can be prevented during development. Instead of hoping for magic, repeatable processes will be outlined for each of those items. This will prove beneficial to anyone responsible for application security: programmers, architects, managers, and pen testers.

The Speakers: David Byrne and Charles Henderson, Trustwave

David Byrne is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response for Trustwave's clients.

David has been involved with information security for a decade. Before Trustwave, he was the Security Architect at Dish Network. In 2008, he released Grendel (, an open source web application security scanner. David frequently presents at security events including DEFCON, Black Hat, Toorcon, SANS, and OWASP AppSec.

Charles Henderson is the Director of Application Security Services at Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture.

Charles routinely speaks on various subject matters relating to application security at conferences such as Black Hat, SOURCE, Merchant Risk Council, IAFCI, and OWASP AppSec.

Back to Conference Agenda