Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Graph Visualization - OWASP NYC Chapter


Published on

The presentation that was given by Maty Siman, Checkmarx's CTO during the OWASP NYC/NJ local chapter meeting held on the 11th of April 2013.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Graph Visualization - OWASP NYC Chapter

  1. 1. OWASP NYC MatyTitle in white and bold Siman
  2. 2. AboutMaty Siman, CISSPCTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
  3. 3. Graph VisualizationTitle in white and bold
  4. 4. Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
  5. 5. Issue• Findings thousands accurate results, does not make us happy …• Webgoat, for example, has hundreds of XSS• We’ll narrow this down to 10 fixing placesTitle in white and bold
  6. 6. Current situation• Each result has a data flow, presented independently from other findings.Title in white and bold
  7. 7. Single Data Flow Path - XSS Request.QueryString*“param1”+;String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
  8. 8. Current situation• One is easy.• And 14?Title in white and bold
  9. 9. Many Single-Path – XSS – a lot of workTitle in white and bold
  10. 10. But …• What do they have in common?Title in white and bold
  11. 11. Combined pathsTitle in white and bold
  12. 12. Can we …• Point, click and check without even READING the source code?• “What if I fix here? Or here?”Title in white and bold
  13. 13. Here it is more effectiveTitle in white and bold
  14. 14. What-If I fix here?Title in white and bold
  15. 15. And here?Title in white and bold
  16. 16. Automatic “What-if” => Best Fix LocationMax-Flow-Min-Cut ( in white and bold
  17. 17. Simplifying the graph – step 1 - groupingTitle in white and bold
  18. 18. Simplifying the graph – step 2 –homeograph’ing ( in white and bold
  19. 19. Simplifying the graph - outputTitle in white and bold
  20. 20. Simplifying the graph - outputTitle in white and bold
  21. 21. Compare the three Title in white and boldSpace Invader
  22. 22. Benefits• Gives you the correlation between findings of the same type (SQLi) and different types.• You are not dealing with individual findings – but with a complete system•Title inyour time bold Use white and better
  23. 23. Thank youTitle in white and bold