LASCON 2017 has ended
View analytic
Thursday, October 26 • 2:00pm - 3:00pm
Improving dynamic vulnerability scanners with static code analysis

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Finding potential vulnerabilities in your source code is vital, but the two traditional methods for achieving this goal each have drawbacks. In this talk, we’ll discuss how Indeed combined the two methods to create a more robust solution, and how you can benefit from our work.

The first traditional method, static source analysis, examines the code itself. This technique can be successful at finding vulnerabilities, but it can also generate excessive false positives. Processing through these results can take a substantial amount of time if you have a large code base.

The second traditional method, dynamic scanning, finds problems by fuzzing a running instance of an application. To dynamically scan web applications, you must define vectors -- the endpoints, parameters, methods, headers, and cookies that will be tested or fuzzed -- and your results are only as good as the vectors you supply. Whether you discover your vectors by crawling site links or by recording user interactions, you always run the risk of overlooking something. For example, you’ll miss endpoints not explicitly linked or exposed to the user, such as deprecated features.

At Indeed, we combined the two approaches and use static code analysis to enrich dynamic vulnerability scanners. We developed WES: a tool that replaces the need for crawlers by analyzing source code and pulling endpoints right out of where they are defined. In this talk, you’ll not only learn how WES works, but also how to use it to continually improve your application security pipeline.

avatar for Caleb Coffie

Caleb Coffie

Information Security Engineer, Indeed.com
Information Security Engineer at Indeed | Rochester Institute of Technology Graduate

Thursday October 26, 2017 2:00pm - 3:00pm
Under Armour Room

Attendees (9)