Session Name: Beyond the Top 10: Finding Business Logic Flaws, Data Leakage and Hard-Coded Secrets in Development
The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many static application security testing (SAST) solutions that can identify technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic flaws, data leakage, insider threats or hard-coded secrets. While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code base, pattern-matching is not sufficient for business logic flaws, data leakage or hard-coded secrets because these issues are unique to each code base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities. This presentation will cover: Identifying sensitive data variables and mapping their flows across all sources and sinks Finding the conditions leading to business logic flaws Identifying hard-coded secrets and literals in source code such as usernames, passwords, tokens and API keys How to insert the above security checks into pull requests or builds without slowing releases down
Chetan is a serial entrepreneur with over 20+ years of experience in authoring and architecting mission critical software. His expertise includes building web-scale distributed infrastructure, personalization algorithms, complex event processing, fraud detection, and prevention in investment/retail banking domains. He was most recently Chief Data Officer and GM Operations at CloudPhysics, and prior to CloudPhysics he was part of early founding teams at CashEdge (acquired FiServ), Business Signatures (acquired Entrust) and EndForce (acquired Sophos). Chetan earned his M.S. in Computer Engineering from Iowa State University and B.S in Computer Science and Engineering from Bangalore University.