Static Analysis for Dynamic Assessments

Presented at AppSec USA 2014, Sept. 18, 2014, 1 p.m. (45 minutes).

Today's dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. However, there is a gap between Static and Dynamic scanners. They find different vulnerabilities. So why aren't dynamic testers running static tools? Typically, they don't have source code.

In this session, Greg will explore ways dynamic testers can utilize static tools without source code. Greg will discuss a process for collecting and scanning client-side files. Furthermore, Greg will demonstrate a custom developed tool that automates this process from the Burp Suite.

The objective of running static analysis during a dynamic assessment is to reduce potential false-negatives by increasing the breadth of the assessment.

Presenters:

• Greg Patton - Senior Security Consultant - HP Fortify
  Greg Patton is a Sr. Security Consultant with HP Fortify on Demand based in Houston, TX. With nearly ten years of security experience, Greg specializes in application security with a focus on dynamic web and iOS mobile assessments. Greg started his career in software development, and he discovered a natural talent and interest in breaking applications.

Links:

• https://owaspappsecusa2014.sched.com/event/NvvZWv/static-analysis-for-dynamic-assessments
• https://www.youtube.com/watch?v=9wyYvOJpNp4

Similar Presentations:

• AppSec USA 2016 / Practical Static Analysis for Continuous Application Security
• ShmooCon IX (2013) / Mastiff: Automated Static Analysis Framework
• VB2018 / Android app deobfuscation using static-dynamic cooperation