Automation in security testing is critical to secure the rapidly growing amount of software being developed. As much as you might be led to believe that security tools have this covered, there are clearly areas that current solutions have challenges with. SAST, DAST, IAST, RASP, etc. tools all have their place, but we consistently see systems that use all of these and still have exploitable vulnerabilities. In fact, there is evidence to show that more than half of all software vulnerability types cannot be discovered using security tooling alone. As software development techniques evolve, security tools often have trouble keeping up.
This talk will include a number of specific vulnerability types that security tools often struggle to find, and how you can exploit these gaps. For example, tools are notorious for missing Insecure Direct Object Reference (IDOR) weaknesses. The information presented is a result of commercial product penetration test engagements involving many different types of systems over the last decade. These white-box style assessments include security architecture review, environment infrastructure inspection, and manual analysis of millions of lines of source code.
Also discussed will be complementary protections like developer training, security unit testing, third-party penetration testing, and bug bounty programs to help give you a more complete picture of how to address weaknesses that we commonly see slip through the automation cracks.