InfoconDB

Presented at AppSec USA 2015, Sept. 24, 2015, 3 p.m. (55 minutes).

Attackers typically have more compute resources and can spend much more time breaking components of applications than the engineers that write them in the first place. Since the pressure is on developers to release new code, even at the expense of security best practices, expecting all application vulnerabilities to be detected and remediated in advance of an application's release is unrealistic to say the least.

One approach to combat this is to automatically build more security into the applications themselves. In this talk, the speakers will demonstrate some techniques to leverage the hooking of potentially vulnerable code paths in production applications and injecting code to introduce additional layers of security without requiring developers to write any code or recompile the applications. Specific examples will be given of hooking Java, .NET and Ruby frameworks.

Presenters:

Richard Meester - Software Engineer - Prevoty
Richard's primary focus is developing solutions for XSS/SQLi detection and protection in the .NET framework.
Joe Rozner - Software Engineer - Prevoty
Joe Rozner is a software engineer at Prevoty where he has built semantic analysis tools, worked to develop new methods to more accurately detect SQL injection and Cross Site Scripting (XSS), and designed novel integration technology leveraging runtime patching. His focus on LangSec and formal languages has allowed him to develop novel approaches to traditionally difficult problems in the security space. In his spare time he's developed custom system call level sandboxes, rich web applications, and applications at all levels between.

Sinking Your Hooks in Applications

Presenters:

Links:

Similar Presentations: