AppSec & DevSecOps
R3-2F. “Vulnerability Scanning Your Web Applications Is A Trap and What To Do Instead”
Thursday, June 13, 2024 1:15 PM - 2:15 PM
Room 2F
In the rapidly evolving landscape of cybersecurity, safeguarding applications against malicious attacks is paramount. This presentation delves into the intricate world of application security, specifically contrasting the effectiveness of manual application penetration testing with automated vulnerability scanning. We begin by establishing the foundational principles of application security (with a focus on web applications), highlighting the diverse range of threats and vulnerabilities that modern applications face. The core of the presentation is a comparison results obtained by automated vulnerability scanning tools and the superior results possible through manual security testing. We discuss the limitations of these tools, particularly their inability to contextually understand complex, logic-based vulnerabilities and the high rate of false positives and negatives. We will conclude the talk with a live demo of automated and manual security testing of a deliberately vulnerable web application (supplied by the OWASP foundation) in a virtual machine to demonstrate the kinds of security flaws manual application security testing can uncover. This presentation is a call to action for organizations to recognize the superiority of manual penetration testing and to invest in skilled professionals who can navigate the complex landscape of application security.
After the session, learner will be able to: • Understand the foundational principles of application security with an emphasis on web applications. • Compare the effectiveness of automated vulnerability scanning tools versus manual application penetration testing. • Gain insight into the advantages of manual security testing through a live demonstration. • Learn about the practical application of security testing using tools provided by the OWASP foundation on a deliberately vulnerable web application. • Acknowledge the value of investing in skilled professionals for manual penetration testing to enhance organizational cybersecurity.