[2019] Hunting Bugs To Extinction With Static Analysis by Paul Theriault

Today, a huge portion of our data lives in web applications, often in multitenant, high-exposure environments. Yet despite this centralization of valuable information, the diversity of application platforms has made responding to incidents in the webapp layer difficult. This lack of standardization in combination with a traditional focus on the systems side of incident response means that many security teams do not have the tools to effectively analyze attacks on their web applications. Web application incidents have gotten even harder to handle in the last few years: complex architectures and custom components mean that without special preparation, defenders may be left to decipher a heap of low-signal logs to determine what happened. The processes for investigating an application security flaw also tend to diverge from traditional incident response, since attacker behavior is significantly different. Heightened scrutiny of breaches due to new regulations has led to even greater pressure on responders to quickly understand the scope of an event. This talk introduces a flexible framework of technologies, tools, and procedures that has been essential to responding to threats to a major modern web platform. This provides a system to evaluate the capabilities currently in place to handle appsec incidents and plan new efforts to help security teams confidently investigate and respond to attackers on the web.

------
AppSec Day Australia is an OWASP Foundation, Melbourne Chapter event held on 1st November 2019. This is a volunteer run event, and we couldn't have done it without the dedication, commitment, and sacrifice of all our volunteers; and we thank you.

Follow us on Twitter @OWASPMelbourne