![Black Hat Briefings, Europe 2007 [Audio] Presentations from the security conference. - Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection](http://media.blackhat.com/bh-eu-07/bh-eu-07-itunes.avif)
Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection
01/09/06 • 36 min
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University.
Next Episode
Jeff Moss and Roger Cumming: Welcome and Keynote.
Jeff Moss introduces the Keynote and welcomes everyone tthe Amsterdam 2007 conference!
Roger will provide an overview of the work of CPNI in reducing vulnerability in information systems that form part of the UK. He will then challenge the community on a number of issues, including the development of the malicious market place, and the role security researchers in addressing vulnerabilities as used by a range of threat actors.
Until 31 January 2007 Roger Cumming was Director of the National Infrastructure Security Co-ordination Centre (NISCC), the UK centre responsible for minimising the impact of electronic attack on the UK critical national infrastructure. Since 1 February Roger has been Head of Advice Delivery and Knowledge Development at the UK Centre for the Protection of National Infrastructure (CPNI). CPNI provides protective security advice on information security as well as physical and personnel security treduce the vulnerability of the UK's national infrastructure tterrorism and other threats.
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/black-hat-briefings-europe-2007-audio-presentations-from-the-security-48991/toshinari-kureha-make-my-day-just-run-a-web-scanner-countering-the-fau-2438329"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to toshinari kureha: make my day - just run a web scanner: countering the faults of typical web scanners through byte-code injection on goodpods" style="width: 225px" /> </a>
Copy