Static Analysis for Dynamic Assessments – OWASP AppSecUSA 2014
iSpeech
Recorded at AppSecUSA 2014 in Denver
http://2014.appsecusa.org/
Thursday, September 18 • 1:00pm - 1:45pm
Static Analysis for Dynamic Assessments
Today’s dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. However, there is a gap between Static and Dynamic scanners. They find different vulnerabilities. So why aren’t dynamic testers running static tools? Typically, they don’t have source code.
In this session, Greg will explore ways dynamic testers can utilize static tools without source code. Greg will discuss a process for collecting and scanning client-side files. Furthermore, Greg will demonstrate a custom developed tool that automates this process from the Burp Suite.
The objective of running static analysis during a dynamic assessment is to reduce potential false-negatives by increasing the breadth of the assessment.
Speaker
Greg Patton
Senior Security Consultant, HP Fortify
Greg Patton is a Sr. Security Consultant with HP Fortify on Demand based in Houston, TX. With nearly ten years of security experience, Greg specializes in application security with a focus on dynamic web and iOS mobile assessments. Greg started his career in software development, and he discovered a natural talent and interest in breaking applications.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
2014-09-30 20:00:52
source
Gloss