In this presentation we will describe Application Security, dive into 3 pillars (static, dynamic, and manual analysis), and discuss current trends.
Application Security is a process improvement exercise, but depends more on the skill of the humans involved that other more mechanically oriented processes. Developers with the right skillset and training will produce better code than those without. And security architects and penetration testers will find more bugs if they have deep security experience and skills. Even so, bugs will be missed in peer review and formal code audits. Thus a solid process with a variety of techniques, are required to examine programs from all possible angles.
In terms of code auditing we’ll talk about three popular bugs: use-after-free, type confusion, and double fetch. We’ll briefly describe each bug and show examples to help code auditors think about how to find such bugs in their source.
Fuzzing is one of the popular dynamic testing techniques to hunt within the fully compiled binary for bugs missed in other types of testing. We’ll walk through an example of file fuzzing and network fuzzing. For file fuzzing we’ll use the peach framework and for the network example we’ll use Sully.
This talk includes a perspective managers will appreciate, as well as the technical skills your code folks enjoy and require.