Penetration testing code coverage

Presented at AppSec USA 2014, Sept. 19, 2014, 10:30 a.m. (45 minutes)

A continuous challenge facing penetration testers is ensuring adequate coverage of a target application. A purely black box perspective makes it almost impossible to accurately identify how much of the attack surface was tested for penetration during assessment. Glass box testing techniques significantly improve the insight that penetration testers have into the coverage and makeup of the applications they are targeting. This 45-minute session will start with brief introductory material and will then jump into a live demo using OWASP Code Pulse, a newly released real-time code coverage tool. Session attendees will learn about the benefits of real-time code coverage insight and will learn how to effectively use Code Pulse to improve the coverage in their penetration testing activities regardless of whether they're relying purely or manual scans or automated scans by one or more DAST tools.

Presenters:

• Hassan Radwan - Secure Decisions
  Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application security and quality field for the past six years at Secure Decisions and has a passion for representing application security information in a visual and consumable manner.

Links:

• https://owaspappsecusa2014.sched.com/event/1osR57K/penetration-testing-code-coverage

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / Maturing The Penetration Testing Profession
• Black Hat USA 2016 / Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools
• DEF CON 24 (2016) / Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools