filmov
tv
Hidden Vulnerabilities in “Secure” Code and Why You Need SAST | Roman Bohuk
Показать описание
00:00 - Welcome!
00:11 - Writing code for CTFs (secure and intentionally insecure)
00:43 - Agenda
00:57 - Example: vulnerable nodejs application
02:12 - Example: php
03:25 - Example: python
04:54 - Example: C
06:25 - Example: php password strcmp
09:06 - Example: python yaml configuration
10:19 - Why secure coding is hard
11:35 - Solutions?
12:49 - Why use SAST?
13:48 - Static Application Secure Testing (SAST)
14:16 - Software Composition Analysis/Static Code Analysis/Source Code Analysis (SCA)
14:59 - Dynamic Application Security Testing (DAST)
15:54 - Interactive Application Security Testing (IAST)
16:20 - How does SAST work?
19:17 - Types of findings
19:46 - SAST Strengths
20:32 - SAST Weaknesses
21:43 - Picking the right tool
23:08 - Q: Sources other than OWASP for SAST tools? Snyk
24:24 - Q: How to encourage implementation of OWASP guidelines?
24:37 - A: Organization culture, training
25:36 - Q: Same evaluation for DAST and IAST?
A: Possibly. More familiar with SAST
26:19 - Q: Any plans to create MetaCTF Secure Code Challenges?
A: There are some challenges where you can see the code, in the future, may be able to alter code.
27:12 - Q: How to build a comprehensive SBOM?
A: Commercial SAST tool should have SBOM built in.
27:51 - Q: How to achieve your level of expertise?
28:13 - A: Just seem like I know a lot because I’m comfortable with the topic.
28:39 - Countering imposter syndrome - follow your passion
30:38 - Q: AI applications to your field?
A: Yes, as an assist. Many SAST tools use AI on the back end.
31:45 - Free challenges on MetaCTF website, upcoming CTFs, Shmoocon ticket contest
/// 📄 View our Pay-What-You-Can Courses
/// 📄 View the Antisyphon Course Catalog
/// 📄 View Our Live Training Course Calendar
/// 📄 Antisyphon Training Roadmap
///Antisyphon Socials
///Antisyphon Training
///Antisyphon Shirts
///Educational Infosec Content
///Backdoors & Breaches - Incident Response Card Game
#bhis #antisyphon #infosec #CyberSecurity #training
00:11 - Writing code for CTFs (secure and intentionally insecure)
00:43 - Agenda
00:57 - Example: vulnerable nodejs application
02:12 - Example: php
03:25 - Example: python
04:54 - Example: C
06:25 - Example: php password strcmp
09:06 - Example: python yaml configuration
10:19 - Why secure coding is hard
11:35 - Solutions?
12:49 - Why use SAST?
13:48 - Static Application Secure Testing (SAST)
14:16 - Software Composition Analysis/Static Code Analysis/Source Code Analysis (SCA)
14:59 - Dynamic Application Security Testing (DAST)
15:54 - Interactive Application Security Testing (IAST)
16:20 - How does SAST work?
19:17 - Types of findings
19:46 - SAST Strengths
20:32 - SAST Weaknesses
21:43 - Picking the right tool
23:08 - Q: Sources other than OWASP for SAST tools? Snyk
24:24 - Q: How to encourage implementation of OWASP guidelines?
24:37 - A: Organization culture, training
25:36 - Q: Same evaluation for DAST and IAST?
A: Possibly. More familiar with SAST
26:19 - Q: Any plans to create MetaCTF Secure Code Challenges?
A: There are some challenges where you can see the code, in the future, may be able to alter code.
27:12 - Q: How to build a comprehensive SBOM?
A: Commercial SAST tool should have SBOM built in.
27:51 - Q: How to achieve your level of expertise?
28:13 - A: Just seem like I know a lot because I’m comfortable with the topic.
28:39 - Countering imposter syndrome - follow your passion
30:38 - Q: AI applications to your field?
A: Yes, as an assist. Many SAST tools use AI on the back end.
31:45 - Free challenges on MetaCTF website, upcoming CTFs, Shmoocon ticket contest
/// 📄 View our Pay-What-You-Can Courses
/// 📄 View the Antisyphon Course Catalog
/// 📄 View Our Live Training Course Calendar
/// 📄 Antisyphon Training Roadmap
///Antisyphon Socials
///Antisyphon Training
///Antisyphon Shirts
///Educational Infosec Content
///Backdoors & Breaches - Incident Response Card Game
#bhis #antisyphon #infosec #CyberSecurity #training
0:34:27
0:00:29
0:00:46
0:25:05
0:01:01
0:26:34
0:08:06
0:40:55
0:04:01
0:09:32
0:39:11
0:00:35
0:11:33
0:00:47
0:00:36
0:28:06
0:38:47
0:00:25
0:04:06
0:01:45
0:06:25
0:00:16
0:34:22
0:08:39