by Charles Henderson
Every developer wants to develop secure code and automated application security tools are an appealing choice for developers who might be looking for a silver bullet. However, manual security testing isn't going anywhere until the HAL application scanner comes online. This developer centric presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.
Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks.
However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks.
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.
16th–17th September 2011