I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DAST

Presented at AppSec USA 2012, Oct. 25, 2012, 3 p.m. (45 minutes)

Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a completely new approach - analyzing code execution, memory and data in runtime, allowing for accurate inspection of the application. We will discuss IAST technology (introduced into the 2011 Hype Cycle) compared with DAST/SAST, and the benefits it provides. The goal of the talk is to examine and discuss technological concepts rather than specific products or solutions, and includes a technical drill-down into the technology specifics. The talk will begin by presenting the standard IAST building blocks and their benefits, and continue by showing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…

Presenters:

  • Ofer Maor - CTO - Quotium
    Ofer Maor has over sixteen years of experience in information security, and is a pioneer in the application security field. He has been involved in leading research initiatives, has published numerous papers, appears regularly at leading conferences and is considered a leading authority by his peers. He also currently serves as the Chairman of OWASP Israel and a member of the OWASP Global Membership Committee.In his current role as Founder and CTO of Quotium (through the merger with Seeker Security), Mr. Maor is leading Seeker® - the new generation of application security, allowing organizations to effectively protect their business and data from application threats. He was previously the Founder and CTO of Hacktics®, where he helped create a world-class leading professional security services group, later acquired by Ernst & Young to become a global excellence center.Before founding Hacktics, Mr. Maor led Imperva's Application Defense Center, a research group focused on application security services and education, where he advanced research activities and was responsible for all the application security services conducted by the company. He was previously a Senior Security Consultant at eDvice, an application security consulting firm, and served for three years as an Information Security Officer in the Israeli Defense Forces.

Links:

Similar Presentations: