ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
Listen "Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection"
Episode Synopsis
"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that it's doing the right thing.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
In God we trust