DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
•
2 likes•2,846 views
Current security testing approaches like DAST, SAST, and IAST have limitations including a lack of complete visibility into applications and missing valuable information that could improve accuracy. While early hybrid approaches used correlation between techniques, correlation does not overcome fundamental analyzer deficiencies. A more effective solution would use an accurate application model as the foundation, providing a wealth of information about the application that could drastically improve analysis and vulnerability detection capabilities.
Report
Share
Report
Share
Recommended
SAST vs. DAST: What’s the Best Method For Application Security Testing?
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
OWASP Top 10 2021 What's New
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Security testing
Security Testing is a process to determine that an information system protects data and maintains functionality as intended.
Static Analysis Security Testing for Dummies... and You
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Burp suite
Burp Suite is a Java-based tool for testing the security of web applications. It has free and paid versions. The tool's modules include Target, Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender. The Target module provides an overview of the application. The Proxy module intercepts and inspects traffic between the browser and server. The Spider module automatically crawls the application. The Scanner module automatically scans for vulnerabilities. The Intruder module automates customized attacks. The Repeater module manually manipulates and reissues requests.
Penetration Testing Execution Phases
This document outlines the phases of a penetration testing execution, with a focus on the reconnaissance phase. It discusses the reconnaissance phase in depth, including levels of information gathering, goals of information gathering through open source intelligence (OSINT), and types of corporate and target details that should be collected. The key aspects covered are the importance of gathering information before launching attacks, doing so in a legal and ethical manner according to the rules of engagement, and focusing reconnaissance efforts on information directly relevant to the goals of the penetration test. The overall goal of the reconnaissance phase is to safely and effectively collect intelligence on the target to inform subsequent phases of testing.
Vulnerability assessment and penetration testing
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
Introduction To OWASP
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
Recommended
SAST vs. DAST: What’s the Best Method For Application Security Testing?
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
OWASP Top 10 2021 What's New
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Security testing
Security Testing is a process to determine that an information system protects data and maintains functionality as intended.
Static Analysis Security Testing for Dummies... and You
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Burp suite
Burp Suite is a Java-based tool for testing the security of web applications. It has free and paid versions. The tool's modules include Target, Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender. The Target module provides an overview of the application. The Proxy module intercepts and inspects traffic between the browser and server. The Spider module automatically crawls the application. The Scanner module automatically scans for vulnerabilities. The Intruder module automates customized attacks. The Repeater module manually manipulates and reissues requests.
Penetration Testing Execution Phases
This document outlines the phases of a penetration testing execution, with a focus on the reconnaissance phase. It discusses the reconnaissance phase in depth, including levels of information gathering, goals of information gathering through open source intelligence (OSINT), and types of corporate and target details that should be collected. The key aspects covered are the importance of gathering information before launching attacks, doing so in a legal and ethical manner according to the rules of engagement, and focusing reconnaissance efforts on information directly relevant to the goals of the penetration test. The overall goal of the reconnaissance phase is to safely and effectively collect intelligence on the target to inform subsequent phases of testing.
Vulnerability assessment and penetration testing
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
Introduction To OWASP
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
Introduction To Vulnerability Assessment & Penetration Testing
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
Source Code Analysis with SAST
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
Web Application Security Testing
The document discusses risk-based security testing methodology for web applications. It involves deriving test cases from threat analysis techniques like attack tree analysis and understanding real-world attack vectors. The goal is to simulate real attacker scenarios and test for vulnerabilities, as well as potential abuse of business logic or flaws in the secure architecture. Security testing is integrated into the software development lifecycle to find and fix issues early.
OWASP Top 10 2021 Presentation (Jul 2022)
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
OWASP Top 10 Web Application Vulnerabilities
This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
cyber-security-reference-architecture
The document outlines a cybersecurity reference architecture that provides:
1. Active threat detection across identity, apps, infrastructure, and devices using tools like Azure Security Center, Windows Defender ATP, and Enterprise Threat Detection.
2. Protection of sensitive data through information protection, classification, and data loss prevention tools.
3. Management of identity and access to securely embrace identity as the primary security perimeter.
[Round table] zeroing in on zero trust architecture
Idea of Zero Trust
Frameworks e.g. NIST framework
Building a Zero Trust Architecture
Building Tech stack for transition to Zero Trust Architecture
Building Tech stack for directly implementing Zero Trust Architecture
Splunk-Presentation
The document provides an overview of the Splunk data platform. It discusses how Splunk helps organizations overcome challenges in turning real-time data into action. Splunk provides a single platform to investigate, monitor, and take action on any type of machine data from any source. It enables multiple use cases across IT, security, and business domains. The document highlights some of Splunk's products, capabilities, and customer benefits.
SOC presentation- Building a Security Operations Center
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Security testing fundamentals
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
Vulnerability and Assessment Penetration Testing
VAPT defines a wide range of security testing services to ascertain and address cyber security exposures. It includes vulnerability testing through perimeter scans for missing patches or custom exploits to bypass perimeters, as well as penetration testing by simulating real-world attacks to provide a point-in-time assessment of vulnerabilities and threats to a network infrastructure. Customers can inquire more about these security testing and analysis services by contacting the company.
Security testing
Security Testing involves testing applications and systems to ensure security and proper functionality. It includes testing input validation, internal processing, output validation, and more. Common types of security testing are security auditing, vulnerability scanning, risk assessment, ethical hacking, and penetration testing. The OWASP Top 10 includes SQL injection, cross-site scripting, and broken authentication and session management as common vulnerabilities.
Vulnerability Management
Presentation I gave to a client on showing the importance of implementing a vulnerability management program life cycle.
Penetration Testing Basics
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
Cybersecurity in Industrial Control Systems (ICS)
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
MITRE ATT&CK Framework
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Effective Security Operation Center - present by Reza Adineh
The document discusses how to effectively manage a cyber security operations center (SOC). It addresses questions about how to assess the effectiveness and maturity of a SOC, ensure sufficient threat detection capabilities through proper sensors and data collection, and utilize threat intelligence and data enrichment. The document also provides steps to implement threat management, incident response processes, and leverage machine learning and user entity behavior analytics to detect anomalous user behavior and insider threats.
Security Information and Event Management (SIEM)
This document provides an overview of security information and event management (SIEM). It defines SIEM as software and services that combine security information management (SIM) and security event management (SEM). The key objectives of SIEM are to identify threats and breaches, collect audit logs for security and compliance, and conduct investigations. SIEM solutions centralize log collection, correlate events in real-time, generate reports, and provide log retention, forensics and compliance reporting capabilities. The document discusses typical SIEM features, architecture, deployment options, and reasons for SIEM implementation failures.
iAppSecure - Brief on the Company
iAppSecure Solutions is a company started with a vision to create scientifically advanced technologies for application security analysis. We, at iAppSecure, continuously endeavor to innovate and build novel smart technologies that radically enhance the accuracy and effectiveness of discovering vulnerabilities and weaknesses in applications. The technologies that we build enable smarter and deeper application security analysis providing clear actionable reports to our customers.
2015 ISACA NACACS - Audit as Controls Factory
The presentation provides an overview of data analytics concepts and tools that can be used for internal auditing. It discusses how audit analytics can help challenge traditional audit views and provide additional services while maintaining independence. Examples are given of how analytics can be used for monitoring controls, enhancing audits, and ad-hoc analysis of risks. Key lessons focus on ensuring diversity in analytic teams and being prepared to replace personnel. The presentation emphasizes using a toolbox approach to tools and affordably sourcing analytic talent from interns with the needed skills. Maintaining independence is discussed in the context of facilitating rather than directly implementing risk responses or managing risk.
More Related Content
What's hot
Introduction To Vulnerability Assessment & Penetration Testing
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
Source Code Analysis with SAST
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
Web Application Security Testing
The document discusses risk-based security testing methodology for web applications. It involves deriving test cases from threat analysis techniques like attack tree analysis and understanding real-world attack vectors. The goal is to simulate real attacker scenarios and test for vulnerabilities, as well as potential abuse of business logic or flaws in the secure architecture. Security testing is integrated into the software development lifecycle to find and fix issues early.
OWASP Top 10 2021 Presentation (Jul 2022)
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
OWASP Top 10 Web Application Vulnerabilities
This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
cyber-security-reference-architecture
The document outlines a cybersecurity reference architecture that provides:
1. Active threat detection across identity, apps, infrastructure, and devices using tools like Azure Security Center, Windows Defender ATP, and Enterprise Threat Detection.
2. Protection of sensitive data through information protection, classification, and data loss prevention tools.
3. Management of identity and access to securely embrace identity as the primary security perimeter.
[Round table] zeroing in on zero trust architecture
Idea of Zero Trust
Frameworks e.g. NIST framework
Building a Zero Trust Architecture
Building Tech stack for transition to Zero Trust Architecture
Building Tech stack for directly implementing Zero Trust Architecture
Splunk-Presentation
The document provides an overview of the Splunk data platform. It discusses how Splunk helps organizations overcome challenges in turning real-time data into action. Splunk provides a single platform to investigate, monitor, and take action on any type of machine data from any source. It enables multiple use cases across IT, security, and business domains. The document highlights some of Splunk's products, capabilities, and customer benefits.
SOC presentation- Building a Security Operations Center
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Security testing fundamentals
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
Vulnerability and Assessment Penetration Testing
VAPT defines a wide range of security testing services to ascertain and address cyber security exposures. It includes vulnerability testing through perimeter scans for missing patches or custom exploits to bypass perimeters, as well as penetration testing by simulating real-world attacks to provide a point-in-time assessment of vulnerabilities and threats to a network infrastructure. Customers can inquire more about these security testing and analysis services by contacting the company.
Security testing
Security Testing involves testing applications and systems to ensure security and proper functionality. It includes testing input validation, internal processing, output validation, and more. Common types of security testing are security auditing, vulnerability scanning, risk assessment, ethical hacking, and penetration testing. The OWASP Top 10 includes SQL injection, cross-site scripting, and broken authentication and session management as common vulnerabilities.
Vulnerability Management
Presentation I gave to a client on showing the importance of implementing a vulnerability management program life cycle.
Penetration Testing Basics
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
Cybersecurity in Industrial Control Systems (ICS)
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
MITRE ATT&CK Framework
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Effective Security Operation Center - present by Reza Adineh
The document discusses how to effectively manage a cyber security operations center (SOC). It addresses questions about how to assess the effectiveness and maturity of a SOC, ensure sufficient threat detection capabilities through proper sensors and data collection, and utilize threat intelligence and data enrichment. The document also provides steps to implement threat management, incident response processes, and leverage machine learning and user entity behavior analytics to detect anomalous user behavior and insider threats.
Security Information and Event Management (SIEM)
This document provides an overview of security information and event management (SIEM). It defines SIEM as software and services that combine security information management (SIM) and security event management (SEM). The key objectives of SIEM are to identify threats and breaches, collect audit logs for security and compliance, and conduct investigations. SIEM solutions centralize log collection, correlate events in real-time, generate reports, and provide log retention, forensics and compliance reporting capabilities. The document discusses typical SIEM features, architecture, deployment options, and reasons for SIEM implementation failures.
What's hot (20)
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
Similar to DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure - Brief on the Company
iAppSecure Solutions is a company started with a vision to create scientifically advanced technologies for application security analysis. We, at iAppSecure, continuously endeavor to innovate and build novel smart technologies that radically enhance the accuracy and effectiveness of discovering vulnerabilities and weaknesses in applications. The technologies that we build enable smarter and deeper application security analysis providing clear actionable reports to our customers.
2015 ISACA NACACS - Audit as Controls Factory
The presentation provides an overview of data analytics concepts and tools that can be used for internal auditing. It discusses how audit analytics can help challenge traditional audit views and provide additional services while maintaining independence. Examples are given of how analytics can be used for monitoring controls, enhancing audits, and ad-hoc analysis of risks. Key lessons focus on ensuring diversity in analytic teams and being prepared to replace personnel. The presentation emphasizes using a toolbox approach to tools and affordably sourcing analytic talent from interns with the needed skills. Maintaining independence is discussed in the context of facilitating rather than directly implementing risk responses or managing risk.
Can You Really Automate Yourself Secure
Much attention has been given to the need for increased automation in security, given the sheer volume of attackers and attacks, the overload of information security pros must wrangle, and the continued high demand for security expertise. But can automation solve all of security’s most serious problems? If not, why not? Will there always be a need for human involvement?
These slides were used in a live webcast featuring, 451 Research Information Security Research Director Scott Crawford and Cigital Managing Principal Nabil Hannan. You can watch this and other webcasts by visiting https://www.cigital.com/resources/.
Embedded world 2017
Embedded software engineering has become a much bigger and more complex domain than we could have imagined. As devices are expected to communicate with other devices and embedded subsystems, a much larger surface area has emerged for defects that threaten the safety, security, and reliability of the software. For example, the connected car not only introduces software safety and security concerns within the car as a system, interactions with environmental components, such as communicating with 'smart traffic lights' and vehicle-to-vehicle communication, potentially expose additional risk. Additionally, as car makers develop and merge functionality into 'the autopilot' mode, driver-assist technologies have become safety-critical technologies.
Embedded software organizations have always taken a 'shift-left' approach to software quality, rigorously applying defect prevention techniques early in the lifecycle. The demand for IoT requires a new testing paradigm that more closely resembles the challenges that Enterprise IT have faced for decades. As enterprise IT struggles to 'shift-left', embedded systems are struggling to 'shift-right' by testing more componentized and distributed architectures.
From the Frontline of RASP Adoption
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
How To Avoid Continuously Delivering Faulty Software
As organizations continue to compress development and delivery lifecycles, the risk of regressions, integration errors, and other defects rises. But how can development teams integrate defect prevention strategies into their release cycles to ensure that they're not continuously delivering faulty software? In this presentation, learn the key development testing processes to add to your Continuous Delivery system to reduce the risk of automating the release of software defects.
Questions for successful test automation projects
Test automation is not only about coding. Successful test automation involves critical thinking and clarity of objectives before actually beginning development. This material provides guidance in putting some of the right questions and how to think as for having an efficient and effective test automation in the context of your project.
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck
Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security.
Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code.
In this webinar by Cigital and Black Duck security experts, you’ll learn:
- The current state of application security management within the Software Development Lifecycle (SDLC)
- New security considerations organizations face in testing applications that combine open source and in-house written software.
- Steps you can take to automate and manage open source security as part of application developmentHow to Avoid Continuously Delivering Faulty Software
As organizations continue to compress development and delivery lifecycles, the risk of regressions, integration errors, and other defects rises. But how can development teams integrate defect prevention strategies into their release cycles to ensure that they're not continuously delivering faulty software? In this session, learn the key development testing processes to add to your Continuous Delivery system to reduce the risk of automating the release of software defects.
Building a Test Automation Strategy for Success
Choosing an appropriate tool and building the right framework are typically thought of as the main challenges in implementing successful test automation. However, long term success requires that other key questions must be answered including:
- What are our objectives?
- How should we be organized?
- Will our processes need to change?
- Will our test environment support test automation?
- What skills will we need?
- How and when should we implement?
In this workshop, Lee will discuss how to assess your test automation readiness and build a strategy for long term success. You will interactively walk through the assessment process and build a test automation strategy based on input from the group. Attend this workshop and you will take away a blue print and best practices for building an effective test automation strategy in your organization.
• Understand the key aspects of a successful test automation function
• Learn how to assess your test automation readiness
• Develop a test automation strategy specific to your organization
Advancing Testing Program Maturity in your organization
This will be presented at the Optimizely's San Francisco User Group session on Oct 4th. As with any program, an A/B Testing Practice also follows a specific maturity curve. Since it is much more complex and spans across various domains and business units, it begins with a "Sell" phase focused on getting buy-in from various stakeholders but with a specific focus on Engineering & QA, followed by "Scale" phase with focus on building team, efficiency and program and then on to "Expand" phase focused on wider scope/complex tests and strengthen the platform, over to the "Deepen" phase where the focus is to ingrain testing within the company's DNA, i.e., within the backend/algorithms, cross pollinate learning and testing across various business units. The final phase is the "Sustain" phase where Algorithmic Test Management takes over Testing, and Testing is productized as a Value Add service for monetization and brand captial creation. We will walk the audience through our own journey so far along the maturity curve, the lessons learnt along the way, the challenges and what worked for us. The session will be rounded up with a working session with the audience on their own journey, lessons and advice for others.
The elusive root cause
The document discusses root cause analysis in IT problem resolution. It defines root cause analysis and explains its importance in improving IT processes and meeting organizational goals. It describes the typical problem resolution process and challenges, including lack of a structured process and "blame game" between teams. The document reviews different problem detection methods and common root cause analysis approaches, and proposes ways to improve processes through mapping of services and infrastructure, implementing a structured collaborative process, and leveraging tools that provide historical context and topology-based correlation.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Towards Responsible AI - KC.pptx
1. The document discusses responsible AI and outlines several principles for developing AI systems responsibly, including privacy, fairness, transparency, reliability, inclusiveness, and accountability.
2. It provides examples of techniques like differential privacy and model constraints that can help mitigate privacy and fairness issues in AI systems.
3. The document also discusses the importance of transparency in AI through explainability, highlighting packages and methods for interpreting models.
Chapter 13 software testing strategies
This ppt covers the following
A strategic approach to testing
Test strategies for conventional software
Test strategies for object-oriented software
Validation testing
System testing
The art of debugging
IT Risk Management
This document discusses risk management in information technology. It begins with introductions and an agenda. It then covers IT management basics like strategy, operations, and project management. It defines IT risks as the possibility that IT will not be able to deliver required capabilities. It discusses identifying, analyzing, planning for, tracking, controlling, and communicating risks. It provides an example of managing application support risks and a case study on a project to improve service excellence at an organization.
Handle With Care: You Have My VA Report!
The document provides guidelines for structuring application security assessment reports. It recommends that reports include details about the assessors and assessment methodology. The report should specify the scope, timeline, and targets of the assessment. It should also list any limitations and provide a summary of findings by risk level. The appendix should outline the testing tools and methodology used. Finally, the report should include a remediation plan with timelines and descriptions of how issues will be addressed.
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
The document discusses breaking down barriers to increase the use of data analytics in auditing. It outlines how NASDAQ uses data analytics in its internal auditing processes. It identifies common barriers like lack of skills and technology experience. It recommends starting small with basic analytics and focusing on business objectives. The document provides examples of using analytics for email logs, access reviews, alerts and other auditing purposes. It emphasizes gaining management support and measuring effectiveness to expand analytics use.
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
Paper: http://ceur-ws.org/Vol-2283/MediaEval_18_paper_42.pdf
Youtube: https://youtu.be/Nfn6ekXZOw4
Andreas Lommatzsch, Benjamin Kille, Baseline Algorithms for Predicting the Interest in News based on Multimedia Data. Proc. of MediaEval 2018, 29-31 October 2018, Sophia Antipolis, France.
Abstract: The analysis of images in the context of recommender systems is a challenging research topic. NewsREEL Multimedia enables researchers to study new algorithms with a large dataset. The dataset comprises news items and the number of impressions as a proxy for interestingness. Each news article comes with textual and image features. This paper presents data characteristics and baseline prediction models. We discuss the performance of these predictors.
Presented by Andreas Lommatzsch
Application Threat Modeling
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Similar to DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations (20)
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Advancing Testing Program Maturity in your organization
Advancing Testing Program Maturity in your organization
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
Recently uploaded
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
HCL Notes and Domino License Cost Reduction in the World of DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Taking AI to the Next Level in Manufacturing.pdf
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
OpenID AuthZEN Interop Read Out - Authorization
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
How to Get CNIC Information System with Paksim Ga.pptx
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Microsoft - Power Platform_G.Aspiotis.pdf
Revolutionizing Application Development
with AI-powered low-code, presentation by George Aspiotis, Sr. Partner Development Manager, Microsoft
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
20240607 QFM018 Elixir Reading List May 2024
Everything I found interesting about the Elixir programming ecosystem in May 2024
Fueling AI with Great Data with Airbyte Webinar
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Recently uploaded (20)
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
- 1. Current Approaches and Limitations
- 2. Copyright - iAppSecure Solutions External DAST (≠ DAST) • Limitation with request / response only analysis • Fuzzing, guesswork, trial and error or symptom based detection • Lack of internal visibility and risk associated with vulnerabilities missed • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ? ? ? ?
- 3. Copyright - iAppSecure Solutions ? SAST • Frustration with noise produced and efforts in removing them • Lack of external perspective and end-to-end visibility • Lack of concrete value based view and detection • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ?
- 4. Copyright - iAppSecure Solutions Hybrid 1.0 • Correlation is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • Correlated vulnerabilities is not an indication of severity, exploitability or priority • False negatives reduced but sum of undesirable false positives is inherited as well • Hybrid – DAST and SAST result based correlation • Shortcut approach which preserves existing investment • Issues with URL to source based correlation • Marginal gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results
- 5. Copyright - iAppSecure Solutions Hybrid 2.0 • Correlation logic more effective but again fundamental problems with correlation based approach remain same • Hybrid – DAST with instrumentation based feedback and stack trace based correlation with SAST • Coarse instrumentation / stack trace based approach • Shifts visibility point but entire application logic in between is still black box • Instrument what ? application or library function execution ? • Instrument how much ? application details or limited library functions executed ? • Small gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results Instrument / Stack Trace Feedback
- 6. Copyright - iAppSecure Solutions IAST • Very broad interpretation (interactive is one aspect) • Under the hood (approach matters) • Instrumentation Technology – Limited (Source, Sink, Propagation) or Advanced ? • Analysis Technology – Concrete, Symbolic or Interweaved ? • Operation – Passive, Active or Multi-way ? • Modeling – Function Level with Limited API or Application Level with High Resolution ? • Visibility • Screen / Use Case • Request / Response • Application Flow • Analysis Technique • Concrete • Symbolic • Interweaved • Application Trace • Language Support
- 7. Copyright - iAppSecure Solutions Summary • Every analysis technique has strengths and weaknesses • Standalone analyzers • Are monolithic and cannot improve based on observations of other analyzers • Cannot contribute towards improving other analyzers • Using limited techniques like DAST, SAST, IAST • Is not adequate for getting higher accuracy, assurance or complete visibility • Misses out very valuable information which can drastically improve the analyzers results • Hybrid approach • Use correlation which is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • An accurate application model • Provides huge wealth of information about application (nuts and bolts of application) • Must be the foundation for any analysis requiring higher assurance
- 8. Copyright - iAppSecure Solutions Thank You • iAppSecure Solutions • www.iappsecure.com • contact@iappsecure.com