The process of fuzzing has changed, from multation, to frameworks, to the constraint solving (CS) and genetic algorithms (GA) of today. While pre-written suites and custom one-offs can be great, GAs (AFL/Clusterfuzz) and CS (Sage/MSRD) often do the best - and we’ll drop serious vulns in this talk to prove it. These tools are paired best with scale - fuzzing-as-a-service (FaaS). It’s time to exposure your code before attackers do. But it’s still not a perfectly simple endeavor. We will explain harnesses; how to pick seeds; which portions of the app to target, CI/CD, and much more. We’ll look at an exciting, new DAST tool: microsoftsecurityriskdetection.com. From there we’ll teach you how to turn the bugs into fixes, or exploits. Excitingly, you'll learn how to write 0day from results.
Dr. Jared DeMott is the Founder of VDA Labs. He previously served as a vulnerability analyst with the NSA. He was a finalist in Microsoft’s BlueHat prize contest. He has been on three winning Defcon capture-the-flag teams, an invited lecturer at prestigious institutions, is a Pluralsight author, and is often interviewed by Media.
John Stigerwalt, OSCE, OSCP, SLAE - experienced in pentesting, application auditing, exploit development, and reverse engineering. John has spent years protecting organizations from evolving threats, and is very passionate about improving organizations security.