Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dynamic App Patching
Search
Jon Rose
January 01, 2010
Technology
100
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Dynamic App Patching
Jon Rose
January 01, 2010
More Decks by Jon Rose
See All by Jon Rose
Agile Security
jonrose
1
190
Decoding Bug Bounty Programs
jonrose
1
560
Builders Vs. Breakers AppSec 2012
jonrose
2
240
Rich Internet Application Security
jonrose
2
110
Cloudy with a chance of 0-day
jonrose
1
100
Deblaze - A remote method enumeration tool for flex servers
jonrose
3
220
Deblaze - A Remote Method Enumeration Tool for Flex Servers, Defcon
jonrose
2
160
CodeSearch0day
jonrose
1
74
Other Decks in Technology
See All in Technology
脱金融のフューチャー・デザイン / Future Design Beyond Finance
ks91
PRO
0
140
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
130
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
190
そのタスクオンスケですか?
poropinai1966
0
150
証券システムを10年Scalaで作り続けるということ - 関数型まつり2026
krrrr38
3
820
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
290
なぜ人は自分のプロジェクトを 「なんちゃってアジャイル」と 自嘲するのか
kozotaira
0
280
[2026-07-15] AI Ready なはずだったアーキテクチャと、見えてきた課題・次に目指す状態
wxyzzz
4
1.9k
デジタル・デザイン構想 by Sayaka Ishizuka
y150saya
0
200
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
330
AI Driven AI Governance
pict3
0
320
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
400
Featured
See All Featured
A Modern Web Designer's Workflow
chriscoyier
698
190k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.3k
Into the Great Unknown - MozCon
thekraken
41
2.6k
Code Review Best Practice
trishagee
74
20k
How to train your dragon (web standard)
notwaldorf
97
6.7k
The Spectacular Lies of Maps
axbom
PRO
1
850
First, design no harm
axbom
PRO
2
1.2k
KATA
mclloyd
PRO
35
15k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
170
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.7k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
600
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Transcript
Resolving*Applica/on* Vulnerabili/es* Blending(App(Scanners,(WAF’s,( and(Code(Instrumenta:on(
Agenda( • The(Problem( • Iden:fying(Risk( – Web(App(Scanning( – Code(Review( •
Mi:ga:ng(Risks( – Code(Patches( – Web(Applica:on(Firewall( • A(Blended(Solu:on(
The(Problem( • Web(apps(have(security(vulnerabili:es( ( • Feature(deadlines( • Inexperienced( developers( •
Poor(system( administra:on( • Insecure(defaults( • Vulnerable(libraries(
The(Threat(Is(Increasing( AHackers(techniques(&(toolkits(have(advanced(
CrossKEyed(( Scrip:ng( ( Click(Jacking( ( GIFAR( ( Deblaze( ( (
Recent(AHacks(
Common(Approaches( Iden:fica:on( – Web(Applica:on(Scanning( – Code(Review( ( Remedia:on( – Web(Applica:on(Firewall( – Code(Patches( (
Iden:fica:on(
Web(App(Scanning(K(Strengths( • Easily(finds(common( vulnerabili:es( • Language(/(PlaTorm( independent( • Fast(and(Repeatable( •
CostKeffec:ve(( • Consistent(Repor:ng(
Web(App(Scanning(K(Weaknesses( • AHack(Surface(Coverage( • Detec:ng(complex(&( unique(flaws( ( • Pinpoint(vulnerable(code( loca:on(
• Providing(specific( recommenda:ons(
Code(Review(K(Strengths( • Iden:fy(logic(flaws( • Uncover(hard(to( discover(bugs( • Code(coverage( • Pinpoints(vulnerable(
code(loca:on(
Code(Review(K(Weaknesses( • Resource(Intensive( • Expensive( • Slow( • Requires(source(code( •
Requires(tuning(and( configura:on(
Mi:ga:on(Techniques(
Web(App(Firewall(K(Strengths( • Cost(Effec:ve( • Reduces(vulnerability( exposure(( • Provides(breathing( room(for(fixes( •
Dynamic(Patching(
Web(App(Firewall(K(Weaknesses( • Advanced(configura:on( requires(manual(tuning( • May(lead(to(false(sense( of(security( • Another(device/ Applica:on(to(manage(
Code(Patches(K(Strengths( • Solves(the(root(cause(of( the(issue( • Raises(developers( security(awareness( • Increases(applica:on( reliability(
Code(Patches(K(Weaknesses( • Resource(intensive( • Costly( • Slow( • Third(Party(Developers( •
Legacy(Apps(
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall(
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on(
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on( AOP(Checks(and( controls(
on(entry(and(end(points((
AOP(Advice( • Input/output(valida:on( • Logging( • Access(control( • Error(handling( •
Transac:on(management( • Session(management( Method( AOP(Advice( Method(
AOP(as(a(WAF( • Intercept(HTTP(requests(and(responses( – Input(valida:on( – Session(Management( – Output(encoding( – Filter(informa:on(leakage(
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall( Provides(input(variables( Coverage(&(data(flow(( Provides(dynamic(patch(info( Retest(verifies(fixes( Intercepts((
Requests(&(Responses(
Applica:on(Instrumenta:on( • Provide(aHack(surface(details(to(Applica:on( Scanner( • Iden:fy(Scanner(code(coverage( • Generate(dynamic(patches(based(on(scanner( results(
Similar(Solu:ons(
Next(Steps( • Further(research(on( applying(AOP( Instrumenta:on( • AOP(based(WAF( • Integrate(Scanner( technology(
Conclusion( • Blended(App(Scanner,(WAF,(and( Instrumenta:on(provides:( – Cost(effec:ve( – Efficient( – Comprehensive( – Scalable( – Repeatable( – Consistent(results(
Ques:ons((
None
Introspec:on(
Addi:onal(Checks( • Regularly(checks(config( file(for(insecure(seangs( • Monitor(files(in(the( webroot( • Determines(all( applica:on(input(by(
evalua:ng(applica:on( code( • Trace(SQL( • Intercepts(all(requests/ responses( • Basic(WAF(capability(