• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Graph Visualization - OWASP NYC Chapter
 

Graph Visualization - OWASP NYC Chapter

on

  • 341 views

The presentation that was given by Maty Siman, Checkmarx's CTO during the OWASP NYC/NJ local chapter meeting held on the 11th of April 2013.

The presentation that was given by Maty Siman, Checkmarx's CTO during the OWASP NYC/NJ local chapter meeting held on the 11th of April 2013.

Statistics

Views

Total Views
341
Views on SlideShare
337
Embed Views
4

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 4

http://www.linkedin.com 2
https://twitter.com 1
https://www.rebelmouse.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • That’s a data flow and how each step is reflected at the source code.
  • And then we might have dozens of paths. How can we gain some more information?
  • Let’s combine them together
  • So this place is probably better. More paths get fixed
  • If I fixed that point, what parts will be OK?
  • And what about this one in here?
  • So by fixing only three places in the code, we were able to fix…
  • So by fixing only three places in the code, we were able to fix…
  • So by fixing only three places in the code, we were able to fix…
  • So by fixing only three places in the code, we were able to fix…
  • So by fixing only three places in the code, we were able to fix…
  • … this.

Graph Visualization - OWASP NYC Chapter Graph Visualization - OWASP NYC Chapter Presentation Transcript

  • OWASP NYC MatyTitle in white and bold Siman
  • AboutMaty Siman, CISSPCTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
  • Graph VisualizationTitle in white and bold
  • Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
  • Issue• Findings thousands accurate results, does not make us happy …• Webgoat, for example, has hundreds of XSS• We’ll narrow this down to 10 fixing placesTitle in white and bold
  • Current situation• Each result has a data flow, presented independently from other findings.Title in white and bold
  • Single Data Flow Path - XSS Request.QueryString*“param1”+;String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
  • Current situation• One is easy.• And 14?Title in white and bold
  • Many Single-Path – XSS – a lot of workTitle in white and bold
  • But …• What do they have in common?Title in white and bold
  • Combined pathsTitle in white and bold
  • Can we …• Point, click and check without even READING the source code?• “What if I fix here? Or here?”Title in white and bold
  • Here it is more effectiveTitle in white and bold
  • What-If I fix here?Title in white and bold
  • And here?Title in white and bold
  • Automatic “What-if” => Best Fix LocationMax-Flow-Min-Cut (http://en.wikipedia.org/wiki/Max-flow_min-cut_theorem_Title in white and bold
  • Simplifying the graph – step 1 - groupingTitle in white and bold
  • Simplifying the graph – step 2 –homeograph’ing (http://enc.tfode.com/Homeomorphism_(graph_theory))Title in white and bold
  • Simplifying the graph - outputTitle in white and bold
  • Simplifying the graph - outputTitle in white and bold
  • Compare the three Title in white and boldSpace Invader
  • Benefits• Gives you the correlation between findings of the same type (SQLi) and different types.• You are not dealing with individual findings – but with a complete system•Title inyour time bold Use white and better
  • Thank youTitle in white and bold maty@checkmarx.com