This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP AppSec DC 2012/Understanding IAST More Context Better Analysis
From OWASP
Revision as of 20:58, 2 March 2012 by Mark.bristow (talk | contribs) (Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightAutomated tools for application security are eit...")
Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org
The Presentation
Automated tools for application security are either "static" (SAST) or "dynamic" (DAST). But recently a new class of "interactive" or "intrinsic" (IAST) tools have emerged -- some are calling them "hybrid" analysis tools. Is this finally application security automation that works? Or is it just another round of hype and false alarms. In this talk, Jeff will explain IAST technology and how it can be used to find security vulnerabilities. We'll cover the full range of IAST approaches, from simple URL-to-code informers, to dynamic test generators, and all the way to fully integrated vulnerability detectors. How can we compare the performance of these new tools? Jeff will share experiences using the static analysis test suite from the NSA to evaluate tool results. Finally, we'll discuss some of the implications of detecting vulnerabilities in running applications, from getting better security results from QA teams to the possibility of a future where all apps (web, mobile, cloud, desktop, etc) detect and report their own vulnerabilities while they are being used.The Speakers
Jeff Williams
Gold Sponsors |
||||
Silver Sponsors |
||||
Small Business |
||||
Exhibitors |