Brice Williams is the cybersecurity practice lead for technology consulting firm SysLogic, Inc. and has over 20 years of experience in software engineering and security best practices. Brice serves as a trusted advisor to global organizations providing modern cybersecurity guidance and support, including developer training, application penetration testing, secure product design, and secure development lifecycle programs. Brice has developed and conducted cybersecurity training classes for thousands of software developers around the world and is passionate about improving the state of cybersecurity at the earliest stages of software development. He is a regular speaker at industry conferences and local meetups, sharing from his practical experience in the field.
Weaknesses in Security Testing
Automation in security testing is critical to secure the rapidly growing amount of software being developed. As much as you might be led to believe that security tools have this covered, there are clearly areas that current solutions have challenges with. SAST, DAST, IAST, RASP, etc. tools all have their place, but we consistently see systems that use all of these and still have exploitable vulnerabilities. In fact, there is evidence to show that more than half of all software vulnerability types cannot be discovered using security tooling alone. As software development techniques evolve, security tools often have trouble keeping up.
This talk will include a number of specific vulnerability types that security tools often struggle to find, and how you can exploit these gaps. For example, tools are notorious for missing Insecure Direct Object Reference (IDOR) weaknesses. The information presented is a result of commercial product penetration test engagements involving many different types of systems over the last decade. These white-box style assessments include security architecture review, environment infrastructure inspection, and manual analysis of millions of lines of source code.
Also discussed will be complementary protections like developer training, security unit testing, third-party penetration testing, and bug bounty programs to help give you a more complete picture of how to address weaknesses that we commonly see slip through the automation cracks.