Why are people designing video games in war zones? How do you catch a catfisher? Can we trust AI lie detectors? Each week, Jordan Erica Webber is joined by experts to answer these questions on our digital culture podcast, Chips with Everything
…
continue reading
Nội dung được cung cấp bởi Black Hat and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection
MP3•Trang chủ episode
Manage episode 152727816 series 1069449
Nội dung được cung cấp bởi Black Hat and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that it's doing the right thing.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
…
continue reading
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
19 tập
Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection
Black Hat Briefings, Europe 2007 [Audio] Presentations from the security conference.
MP3•Trang chủ episode
Manage episode 152727816 series 1069449
Nội dung được cung cấp bởi Black Hat and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that it's doing the right thing.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
…
continue reading
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
19 tập
Tất cả các tập
×Chào mừng bạn đến với Player FM!
Player FM đang quét trang web để tìm các podcast chất lượng cao cho bạn thưởng thức ngay bây giờ. Đây là ứng dụng podcast tốt nhất và hoạt động trên Android, iPhone và web. Đăng ký để đồng bộ các theo dõi trên tất cả thiết bị.