This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP AppSec DC 2012/Understanding IAST More Context Better Analysis"
Mark.bristow (talk | contribs) (Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAutomated tools for application security are eit...") |
Mark.bristow (talk | contribs) |
||
| Line 2: | Line 2: | ||
__NOTOC__ | __NOTOC__ | ||
== The Presentation == | == The Presentation == | ||
| − | + | Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used. | |
== The Speakers == | == The Speakers == | ||
| − | Jeff Williams | + | <table> |
| + | <tr> | ||
| + | <td> | ||
| + | ===Jeff Williams=== | ||
| + | [[Image:Owasp_logo_normal.jpg|left]]Bio TBA | ||
| + | </td> | ||
| + | </tr> | ||
| + | </table> | ||
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude> | <noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude> | ||
Revision as of 01:03, 12 March 2012
Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org
The Presentation
Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.
The Speakers
Jeff Williams |
Gold Sponsors |
|
|
|
|
Silver Sponsors |
| |||
Small Business |
|
| ||
Exhibitors |
|
|
|
|
