Presented at
AppSec USA 2016,
Oct. 13, 2016, 3:30 p.m.
(60 minutes).
The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE.
The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.
The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.
Presenters:
-
Arshan Dabirsiaghi
- Chief Scientist - Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security assurance work, including code reviews, architecture reviews and penetration testing. From his experience at Aspect Security, Arshan quickly discovered that securing applications was a massive undertaking - one that required innovative, deeply accurate technology and continuous testing. His response was to co-found Contrast Security. Only the kind of technology that Contrast offers can help organizations escape the rat race that was legacy application security programs. In his role as Chief Scientist at Contrast Security, Arshan draws on experience to guide the product line, drive new products and features, and spreads the gospel about binary instrumentation. Arshan has released popular application security tools, including AntiSamy, ESAPI, JavaSnoop. He graduated with a Master's in Computer Science and artificial intelligence.
Links:
Similar Presentations: