The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many static application security testing (SAST) solutions that can identify technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic flaws, data leakage, insider threats or hard-coded secrets.
While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code base, pattern-matching is not sufficient for business logic flaws, data leakage or hard-coded secrets because these issues are unique to each code base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.
This presentation will cover:
Chetan is a serial entrepreneur with over 20+ years of experience in authoring and architecting mission critical software. His expertise includes building web-scale distributed infrastructure, personalization algorithms, complex event processing, fraud detection, and prevention in investment/retail banking domains. He was most recently Chief Data Officer and GM Operations at CloudPhysics, and prior to CloudPhysics he was part of early founding teams at CashEdge (acquired FiServ), Business Signatures (acquired Entrust) and EndForce (acquired Sophos). Chetan earned his M.S. in Computer Engineering from Iowa State University and B.S in Computer Science and Engineering from Bangalore University.