Human vs Artificial intelligence - Battle of Trust

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration)

In this era of complex evolution, application technologies have adapted HTML5, WebSockets, APIs, Frameworks, Dynamic code generation, mobile and many other stacks. Application architecture also adds complexity concerning integration with other applications, mobile integrations, JavaScript usage, and many other communication channels. Automated approaches with artificial intelligence of security reviews are having their own limitations in capturing some unique and critical issues across applications. Automation can attack and discover vulnerabilities, which are more signature-based or with predicted behavior. Automation's failure and limitations generate false negatives and applications get pushed into production with these vulnerabilities. These vulnerabilities get exploited by attackers to breach systems from the application layer. This talk will present some unique issues, which are possible to discover by human intelligence but may get missed by automation. For example, • Application with workflows • Asynchronous injections across critical functions • Role based violations and escalations • Access to un-authenticated resources via hidden logic • Third party posting, injection and streaming • Customize protocol handling and exploitation • Sensitive information going out via Analytics calls • Logical abuse in forgot/reset passwords • HTML5 Local storage weaknesses • Exploiting XSS to write in to application local storage in mobile

Presenters:

• Hemil Shah - ExtendedITArms Solutions Pvt Ltd
  Hemil Shah, Co-CEO and Director at Blueinfy, is responsible for customer engagement, assessment implementation and customer communication. He focuses on development and continuous up-gradation of assessment processes and systems to ensure delivery of best-in-class assessment quality. He is very much a hands-on person who works very closely with teams to ensure that customer applications are assessed accurately with maximum coverage in width and depth. He also contributes regularly to Blueinfy's blog. Saumil has more than 15 years of experience in the software security industry. Prior to joining Blueinfy, Hemil worked for HBO and KPMG, where he was a key member of their internal software security team. Before he also worked for IL&FS and Net-Square, being involved with software security assurance and assessment respectively. Saumil has delivered talks and/or trainings on mobile and application security at various respected conferences, such as HiTB, OWASP Europe, InfoSec World, DeepSec, SyScan InfoSecWorld and BreakPoint to name a few. He is one of the founders of eSphere Security and mentor at ExtenedITArms.

Links:

• https://deepsec.net/archive/2016.deepsec.net/speaker.html#PSLOT281
• https://infocon.org/cons/DeepSec/DeepSec 2016/Human vs Artificial intelligence &ndash Battle of Trust.mp4

Similar Presentations:

• AppSec USA 2012 / XSS & CSRF with HTML5 - Attack, Exploit and Defense
• AppSec USA 2013 / Advanced Mobile Application Code Review Techniques
• DeepSec 2013 „Secrets, Failures, and Visions“ / Mobile Application - Scan, Attack and Exploit