Open source SAST and DAST tools for web app pen testing

BSidesROC 2018

Presented by: Drew Kirkpatrick
Date: Saturday April 14, 2018
Time: 15:00 - 15:50
Location: Track 2

This session will discuss how web application penetration testers can improve their white box testing using two new open source tools, funded by the Department of Homeland Security. The Attack Surface Detector tool performs static code analysis to detect hidden endpoints and parameters and pulls them into Burp Suite and OWASP ZAP attack surface. The second tool, OWASP Code Pulse, instruments the web application server bytecode to provide real-time code coverage to help identify gaps in testing, help tune and compare testing tools, as well as provide a useful metric for communicating testing activities.

Drew Kirkpatrick

Drew has over fifteen years of experience designing and building complex systems including application security tools, network management, cyber curriculum development, and transit and aerospace systems. He works to improve information security and software assurance by applying computer science, ethical hacking, and human factors knowledge to build novel systems to meet complex needs. Before joining Secure Decisions as a Security Researcher, Drew was a Senior Computer Scientist in the U.S. Navy Human-Computer Interaction (HCI) Laboratory. He is a certified GWAPT and OSCP, and a member of the GIAC Advisory Board. He received his B.A. in Psychology and Economics from St. Mary’s College of Maryland, and Master’s degrees in Computer Science and Computer Information Systems from Florida Institute of Technology.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats