**** This Meetup will be held remote and the link to the event will be announced ****
Let’s face it, security is not something most developers want to deal with. It takes time, it’s complicated, no one will thank you for it. So it comes in handy when security tool vendors claim that they can cover the most prevalent and severe vulnerabilities in software. Throw some money at them and you’re done.
Well, as you might have guessed already, it is not that easy. When you have a closer look at common vulnerability types such as the OWASP Top 10 and the OWASP API Security Top 10, you’ll see very quickly that only very few of them can even be reliably detected by automated means such as SAST, DAST and IAST tools. In this talk, I’ll explain why this is the case, and show you a more sustainable approach to covering common vulnerability types. What we’ll cover:
- An overview of automated tool types (SAST, DAST, IAST, …)
- Strengths and weaknesses of each type
- Vulnerabilities that can be covered by them (spoiler: surprisingly few)
- We’ll base this on the OWASP Top 10 and the OWASP API Security Top 10
- New developments in the area of security automation
- More sustainable approaches to security assurance
- Examples will focus on web and mobile applications, REST-based APIs and Single Page Applications (SPAs)
Be ready to overthrow your software security assurance program!
Thomas Konrad, SBA Research
Talk language: English
About the Speaker:
Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.
18:15: Talk “Vendors vs. The Truth – Scan Tools And The OWASP Top 10” by Thomas Konrad
19:15: Virtual socializing!
Photo by Markus Spiske on Unsplash