This is the video of the presentation titled "Into the Rabbit Hole: Execution Flow-Based Web Application Testing
" given by Rafal Los & Matt Wood from HP Software at SOURCE Boston 2010
Since the caveman first fashioned a spear humans have been using tools to make them more efficient and effective. Unfortunately, today's analysts often misunderstand the role tools play in testing web applications. While tools can be quite good at mapping a web application's attack surface there is still much human analysis that must be done to find the elusive defects that lie just below the surface. That human analysis is daunting and irregular ... until now. The answer is an execution-flow-based approach to application security testing. By first understanding application logic and execution flow it is possible to completely map a web application's attack surface, and therefore fully test the application. Along the way, we will cover the principles of data-flow analysis, application process mapping and building execution-flow diagrams (EFDs), which together form a complete picture of the web application and allow an analyst to uncover potentially critical defects.Rafal's
unique blend of technical expertise and business knowledge enable him to teach audiences about security techniques, programs and processes that they can both understand strategically, and realistically apply. He has extensive experience in security testing, risk analysis and management, penetration testing and architecture and policy.Matt Wood
is currently the lead security researcher in HP’s Web Security Research Group. He has been involved in security for 6 years both professionally and academically. Matt has led the development of both HP Scrawlr and HP SWFScan, which are free security tools designed to help organizations find SQL injection and Adobe Flash security vulnerabilities, respectively. Beyond making sweet free tools, he has also given numerous presentations at major security conferences including BlackHat and RSA. Matt currently is focusing his research on client-side static analysis and using AI to help security practitioners audit complex Ajax/RIA applications.
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.