application risk and components at app sec usa – jeff williams’ part

Thesis: Need to rethink how things work so they happen real time.

Aspect does a lot of code review and manual testing. That’s why they don’t have XSS and System.out.println() as the leading items. Static analysis tools are good at finding that.


  • 98% of apps have at least one vulnerability
  • On average, Apsect uncovers 22.4 serious vulnerabilities per app. A small fraction are in open source libraries.

We find vulnerabilities months or even years later. Developers are likely on another project by now. Or have at least forgotten the code. Which means they won’t have gotten any learning out of it.

Interception points

  • HTTP Traffic – ZAP can be proxy between Selenium and app to sniff traffic.
  • Data Flow
  • Control flow – static or interactive
  • Libraries and frameworks
  • Configuration data – static analysis tools don’t look here. But could write a static analysis rule for it
  • Back end connections – sometimes developers don’t know so isn’t in architecture review

What if this were the US tax code?
Imagine somone dropped the US Tax code on your desk and ask you to find the loopholes. It’s about a million lines of code. Lawyers don’t do it in one week. You wouldn’t read it line by line. You’d look for patterns. Caman Islands?

Mix existing techniques to get continuous security

  • Code review useful, but hard to do real time. Need to take that effort and turn it into small automated tools. Make it into repeatable test case. ZAP does this – you can write a ZEST script to test for future instances of vulunerabiity. Mozilla is going to make that the standard way of reporting a bug to them.
  • Static analysis – Great at enforcing simple checks. Explore positive rules. Custom rules for more complex patterns.
  • Dynamic analysis
  • Interactive application security testing – look at insides, good at data flow analysis, injection flaws, library testing
  • JUnit – verify your controls are correct. Don’t see enough people using JUnit for security

My Take
This was similar in message to Jeff’s morning session. Some parts were the same (reuse) and some parts were different. And some parts went into different depth. And again Jeff mentioned Sonatype more than Ryan did.

Leave a Reply

Your email address will not be published.