Explore dynamic analysis and fuzzing testing techniques in this 50-minute OWASP Foundation talk on software security verification. Learn about current verification technologies for identifying security mitigation gaps and vulnerabilities in software implementations. Discover how to implement comprehensive testing batteries to ensure product safety before release, aligning with Application Assurance processes. Get introduced to BinSecSweeper, an open-source, cross-platform tool for security binary analysis of PE and ELF file formats. Gain insights into compliance with Application Assurance best practices and identifying insecure applications in networks. Essential viewing for software developers and AppSec professionals seeking to enhance their security verification processes.
Verifying Software for Security Bugs - Dynamic Analysis and Fuzzing Testing
Overview
Syllabus
Intro
TALK OBJECTIVES
AGENDA
SECURE DEVELOPMENT: VERIFICATION
OPENSAMM
MICROSOFT SDL
IT'S ABOUT SAVING MONEY!
OTHER VERIFICATION TOOLS
1. BINSCOPE
1. CURRENT VERIFICATION TOOLS
1. BINARY INTELLIGENCE
WHY BINSECSWEEPER?
FEATURES
BINSECSWEEPER IN ACTION (I)
CURRENT WINDOWS CHECKS
CURRENT LINUX CHECKS
2. PLUGIN EXAMPLE: TEST PLUGIN
2. PLUGIN EXAMPLE: WINDOWS ASLR
2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE
2. REPORTING
2. BINSECSWEEPER: WHAT'S NEXT
2. BINSECSWEEPER: WHERE?
TIME FOR SOME ACTION
CASE STUDY I: VERIFY YOUR OWN SOFTWARE
POSTURE, AMCE INC
CASE STUDY III: BROWSER SECURITY COMPARISON
VERIFYING SOFTWARE SECURITY POSTURE MATTERSI
BINSECSWEEPER: CALL TO ARMS
REFERENCES
Q&A
Taught by
OWASP Foundation
