Comparing Application Security Tools

Presented at DEF CON 15 (2007), Aug. 3, 2007, 6:30 p.m. (20 minutes)

If you're going to buy an application security tool, which one will it be? Every vendor likes to talk about how their tools are the best. "We are the market leader!" they all say. But not everyone can lead all the time. I will show how I took half a dozen "leading" application security tools (both static and dynamic) and compared them head-to-head against the same open source application. All of the tools found something, but no two tools find the same thing! I will break down the different techniques each tool uses and show specifically which bugs each tool finds. The proceedings will include all of the details about the code so that you can add your own tools to the comparison. The presentation gives a methodology for doing detailed tools comparison.

Presenters:

  • Edward Lee - Security Researcher, Fortify Software
    Edward Lee Edward Lee is a member of Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Specifically, Mr. Lee investigates and develops methodologies for the discovery of vulnerabilities and defense against attacks in software. Prior to joining Fortify, Mr. Lee was a security consultant at Exodus Communications/Cable & wireless where he was responsible for securing customer systems and advising customers about potential threats. He is also an active member of a team that has won twice at the Defcon Capture the Flag hacking competition.

Links:

Similar Presentations: