Vendors vs. The Truth – Scan Tools And The OWASP Top 10

Vendors vs. The Truth – Scan Tools And The OWASP Top 10

Let's face it, security is not something most developers want to deal with. It takes time, it's complicated, no one will thank you for it. So it comes in handy when security tool vendors claim that they can cover the most prevalent and severe vulnerabilities in software. Throw some money at them and you're done.

Well, as you might have guessed already, it is not that easy. When you have a closer look at common vulnerability types such as the OWASP Top 10 and the OWASP API Security Top 10, you'll see very quickly that only very few of them can even be reliably detected by automated means such as SAST, DAST and IAST tools. In this talk, I'll explain why this is the case, and show you a more sustainable approach to covering common vulnerability types. What we'll cover:

An overview of automated tool types (SAST, DAST, IAST, ...)
Strengths and weaknesses of each type
Vulnerabilities that can be covered by them (spoiler: surprisingly few)
We'll base this on the OWASP Top 10 and the OWASP API Security Top 10
New developments in the area of security automation
More sustainable approaches to security assurance
Examples will focus on web and mobile applications, REST-based APIs and Single Page Applications (SPAs)

Be ready to overthrow your software security assurance program!

Speaker:
Thomas Konrad, SBA Research
Talk language: English

About the Speaker:
*********************

Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.


Photo by Markus Spiske on Unsplash