Explore a thought-provoking 44-minute conference talk challenging conventional wisdom in application security. Delve into Eoin Keary's critique of current testing methodologies, the limitations of time-constrained penetration testing, and the inconsistencies in security practices. Examine why relying solely on automated scanners is insufficient and question the effectiveness of security consultants without coding experience. Discover why treating vulnerabilities like XSS and SQLI as separate issues may be counterproductive, and learn about the importance of "building security in" rather than "testing security out." Gain insights into asymmetric arms races, enterprise security intelligence, and the complexities of large-scale vulnerabilities in this OWASP Foundation presentation that aims to revolutionize the approach to web security.
Application Security - Challenging Traditional Approaches and Controls
Overview
Syllabus
Intro
Organizations have no lack of relevancy
Loyalty bill hack
Statistics
Money
Software insecurity wrong
Asymmetric arms race
Traditional model
Too many variables
The accepted world
The attacker schedule
The idea of risk
Timelimited approach
Clientside tools
Internal tools
Cheeseburger analogy
Software food chain
Opensource vulnerability statistics
Spring vulnerability
Patch management
Biting off more
Large scale vulnerabilities
Where we are
Data consumption
Enterprise Security Intelligence
Information Flooding
Context
Compliance
Kinder Eggs
Legal in USA
Conclusion
Outro
Taught by
OWASP Foundation
