This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP AppSec DC 2012/Understanding IAST More Context Better Analysis"
Mark.bristow (talk | contribs) (Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAutomated tools for application security are eit...") |
(→The Speakers) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
__NOTOC__ | __NOTOC__ | ||
== The Presentation == | == The Presentation == | ||
− | + | Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used. | |
== The Speakers == | == The Speakers == | ||
− | Jeff Williams | + | <table> |
+ | <tr> | ||
+ | <td> | ||
+ | ===Jeff Williams=== | ||
+ | [[Image:AppSecDC12-Williams.jpg|left]]As a pioneer in the software development and security field, Jeff Williams is one of the world's foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law. | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table> | ||
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude> | <noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude> |
Latest revision as of 14:55, 22 March 2012
Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org
The Presentation
Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.
The Speakers
Jeff WilliamsAs a pioneer in the software development and security field, Jeff Williams is one of the world's foremost experts on application security. Williams is the co-founder and CEO of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Williams and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), through which Williams has made industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology and WebGoat. Williams holds advanced degrees in psychology, computer science and human factors, and graduated cum laude from Georgetown Law. |
Gold Sponsors |
||||
Silver Sponsors |
||||
Small Business |
||||
Exhibitors |