Description: Aljosha Judmaier & David White, SEC ConsultThere comes the time where a true security expert has to look at some source code. Everybody knows that ----real men---- use vi, find, grep, and hair-raising Perl and shell scripts to analyze complex software projects. However, at some point, it makes sense to trade in stone knives and bearskins for tools that are more modern. While security tools continue to become more sophisticated and capable the pain of security source code audits doesn.t seem to decrease. This presentation describes the technologies behind advanced static and dynamic vulnerability analysis tools. New algorithms that precisely model the behavior of so-called ----sanitization---- routines help static analysis tools reduce both false positive and also false negative results. A novel approach to finding logical errors using a dynamic and static analysis tool recognizes the assumptions made during development and tries to find a code flow path that invalidates them. Live demonstrations will show that these new approaches are no longer purely theoretical. In practice, even the best tools won.t make security problems go away. The risks of the traditional rush to market are becoming increasingly apparent, and regulators and standardization organizations are beginning to put pressure on companies to fix problems before they arise. Auditors need to put results in context and communicate with their colleagues, developers, and management in a timely and efficient manner in order to implement pro-active security. We conclude with a discussion of new ways to ensure that bugs get fixed before it.s too late.Security Consultant for SEC Consult and Lead Developer for the SECoverer Code analyses framewirk
Tags: securitytube , Confidence , hacking , hackers , information security , convention , computer security , deepsec-10 , deepsec-2010 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.