SlideShare ist ein Scribd-Unternehmen logo

Graph Visualization - OWASP NYC Chapter

Checkmarx
Checkmarx

The presentation that was given by Maty Siman, Checkmarx's CTO during the OWASP NYC/NJ local chapter meeting held on the 11th of April 2013.

Technologie
1 von 23
OWASP NYC Maty Title in white and bold Siman
About Maty Siman, CISSP CTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
Graph Visualization Title in white and bold
Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
Issue • Findings thousands accurate results, does not make us happy … • Webgoat, for example, has hundreds of XSS • We’ll narrow this down to 10 fixing places Title in white and bold
Current situation • Each result has a data flow, presented independently from other findings. Title in white and bold
Single Data Flow Path - XSS Request.QueryString*“param1”+; String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
Current situation • One is easy. • And 14? Title in white and bold
Many Single-Path – XSS – a lot of work Title in white and bold
But … • What do they have in common? Title in white and bold
Combined paths Title in white and bold
Can we … • Point, click and check without even READING the source code? • “What if I fix here? Or here?” Title in white and bold
Here it is more effective Title in white and bold
What-If I fix here? Title in white and bold
And here? Title in white and bold
Automatic “What-if” => Best Fix Location Max-Flow-Min-Cut (http://en.wikipedia.org/wiki/Max-flow_min-cut_theorem_ Title in white and bold
Simplifying the graph – step 1 - grouping Title in white and bold
Simplifying the graph – step 2 – homeograph’ing (http://enc.tfode.com/Homeomorphism_(graph_theory)) Title in white and bold
Simplifying the graph - output Title in white and bold
Simplifying the graph - output Title in white and bold
Compare the three Title in white and bold Space Invader
Benefits • Gives you the correlation between findings of the same type (SQLi) and different types. • You are not dealing with individual findings – but with a complete system •Title inyour time bold Use white and better
Thank you Title in white and bold maty@checkmarx.com

Empfohlen

Similarity at scale
Similarity at scaleSimilarity at scale
Similarity at scaleKen Krugler
 
Designing and Building a Graph Database Application – Architectural Choices, ...
Designing and Building a Graph Database Application – Architectural Choices, ...Designing and Building a Graph Database Application – Architectural Choices, ...
Designing and Building a Graph Database Application – Architectural Choices, ...Neo4j
 
Graph databases
Graph databasesGraph databases
Graph databasesKarol Grzegorczyk
 
Welcome to Apache OpenOffice 4
Welcome to Apache OpenOffice 4Welcome to Apache OpenOffice 4
Welcome to Apache OpenOffice 4imacat .
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise EditionITAS VIETNAM
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 

Empfohlen

Similarity at scale
Similarity at scaleSimilarity at scale
Similarity at scaleKen Krugler
 
Designing and Building a Graph Database Application – Architectural Choices, ...
Designing and Building a Graph Database Application – Architectural Choices, ...Designing and Building a Graph Database Application – Architectural Choices, ...
Designing and Building a Graph Database Application – Architectural Choices, ...Neo4j
 
Graph databases
Graph databasesGraph databases
Graph databasesKarol Grzegorczyk
 
Welcome to Apache OpenOffice 4
Welcome to Apache OpenOffice 4Welcome to Apache OpenOffice 4
Welcome to Apache OpenOffice 4imacat .
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise EditionITAS VIETNAM
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015DevOpsDays Tel Aviv
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
The Right Data for the Right Job
The Right Data for the Right JobThe Right Data for the Right Job
The Right Data for the Right JobEmily Curtin
 
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJSThe Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJSmfyleman
 
Schema Design
Schema DesignSchema Design
Schema DesignMongoDB
 
Webinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with SolrWebinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with SolrLucidworks
 
Data cleanup
Data cleanupData cleanup
Data cleanupTom McGee
 
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...Uri Cohen
 
Cassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at ScaleCassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at ScaleDataStax Academy
 
Automating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented ApproachAutomating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented ApproachRazorleaf Corporation
 
MongoDB 3.0
MongoDB 3.0 MongoDB 3.0
MongoDB 3.0 Victoria Malaya
 
Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)Amazon Web Services
 
Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB MongoDB
 
Sharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data LessonsSharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data LessonsGeorge Stathis
 
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjsbccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjsICS User Group
 

Weitere ähnliche Inhalte

Andere mochten auch

Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015DevOpsDays Tel Aviv
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 

Andere mochten auch (9)

Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 

Ähnlich wie Graph Visualization - OWASP NYC Chapter

The Right Data for the Right Job
The Right Data for the Right JobThe Right Data for the Right Job
The Right Data for the Right JobEmily Curtin
 
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJSThe Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJSmfyleman
 
Schema Design
Schema DesignSchema Design
Schema DesignMongoDB
 
Webinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with SolrWebinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with SolrLucidworks
 
Data cleanup
Data cleanupData cleanup
Data cleanupTom McGee
 
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...Uri Cohen
 
Cassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at ScaleCassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at ScaleDataStax Academy
 
Automating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented ApproachAutomating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented ApproachRazorleaf Corporation
 
Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB MongoDB
 
Sharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data LessonsSharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data LessonsGeorge Stathis
 
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjsbccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjsICS User Group
 
20140612 phila sug proc import
20140612 phila sug proc import20140612 phila sug proc import
20140612 phila sug proc importDavid Horvath
 
CoreML for NLP (Melb Cocoaheads 08/02/2018)
CoreML for NLP (Melb Cocoaheads 08/02/2018)CoreML for NLP (Melb Cocoaheads 08/02/2018)
CoreML for NLP (Melb Cocoaheads 08/02/2018)Hon Weng Chong
 
Child Themes, Starter Themes, and Frameworks.... Oh My!
Child Themes, Starter Themes, and Frameworks.... Oh My!Child Themes, Starter Themes, and Frameworks.... Oh My!
Child Themes, Starter Themes, and Frameworks.... Oh My!Julie Kuehl
 
managing big data
managing big datamanaging big data
managing big dataSuveeksha
 
PyData Amsterdam - Name Matching at Scale
PyData Amsterdam - Name Matching at ScalePyData Amsterdam - Name Matching at Scale
PyData Amsterdam - Name Matching at ScaleGoDataDriven
 
Creating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrCreating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrBrooke Ganz
 
Regular expressions
Regular expressionsRegular expressions
Regular expressionsEran Zimbler
 

Ähnlich wie Graph Visualization - OWASP NYC Chapter (20)

The Right Data for the Right Job
The Right Data for the Right JobThe Right Data for the Right Job
The Right Data for the Right Job
 
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJSThe Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
The Road To Damascus - A Conversion Experience: LotusScript and @Formula to SSJS
 
Schema Design
Schema DesignSchema Design
Schema Design
 
Webinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with SolrWebinar: Simpler Semantic Search with Solr
Webinar: Simpler Semantic Search with Solr
 
Data cleanup
Data cleanupData cleanup
Data cleanup
 
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
To scale or not to scale: Key/Value, Document, SQL, JPA – What’s right for my...
 
Cassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at ScaleCassandra Summit 2014: Fuzzy Entity Matching at Scale
Cassandra Summit 2014: Fuzzy Entity Matching at Scale
 
Automating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented ApproachAutomating With Excel An Object Oriented Approach
Automating With Excel An Object Oriented Approach
 
MongoDB 3.0
MongoDB 3.0 MongoDB 3.0
MongoDB 3.0
 
Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)
 
Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB Data Processing and Aggregation with MongoDB
Data Processing and Aggregation with MongoDB
 
Sharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data LessonsSharing a Startup’s Big Data Lessons
Sharing a Startup’s Big Data Lessons
 
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjsbccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
bccon-2014 dev03 xpages-road_to_damascas-lotus-script-and-@formula-to-ssjs
 
20140612 phila sug proc import
20140612 phila sug proc import20140612 phila sug proc import
20140612 phila sug proc import
 
CoreML for NLP (Melb Cocoaheads 08/02/2018)
CoreML for NLP (Melb Cocoaheads 08/02/2018)CoreML for NLP (Melb Cocoaheads 08/02/2018)
CoreML for NLP (Melb Cocoaheads 08/02/2018)
 
Child Themes, Starter Themes, and Frameworks.... Oh My!
Child Themes, Starter Themes, and Frameworks.... Oh My!Child Themes, Starter Themes, and Frameworks.... Oh My!
Child Themes, Starter Themes, and Frameworks.... Oh My!
 
managing big data
managing big datamanaging big data
managing big data
 
PyData Amsterdam - Name Matching at Scale
PyData Amsterdam - Name Matching at ScalePyData Amsterdam - Name Matching at Scale
PyData Amsterdam - Name Matching at Scale
 
Creating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrCreating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache Solr
 
Regular expressions
Regular expressionsRegular expressions
Regular expressions
 

Mehr von Checkmarx

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisCheckmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceCheckmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisCheckmarx
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsCheckmarx
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 

Mehr von Checkmarx (10)

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 

Kürzlich hochgeladen

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Graph Visualization - OWASP NYC Chapter

  • 1. OWASP NYC Maty Title in white and bold Siman
  • 2. About Maty Siman, CISSP CTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
  • 4. Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
  • 5. Issue • Findings thousands accurate results, does not make us happy … • Webgoat, for example, has hundreds of XSS • We’ll narrow this down to 10 fixing places Title in white and bold
  • 6. Current situation • Each result has a data flow, presented independently from other findings. Title in white and bold
  • 7. Single Data Flow Path - XSS Request.QueryString*“param1”+; String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
  • 8. Current situation • One is easy. • And 14? Title in white and bold
  • 9. Many Single-Path – XSS – a lot of work Title in white and bold
  • 10. But … • What do they have in common? Title in white and bold
  • 11. Combined paths Title in white and bold
  • 12. Can we … • Point, click and check without even READING the source code? • “What if I fix here? Or here?” Title in white and bold
  • 13. Here it is more effective Title in white and bold
  • 14. What-If I fix here? Title in white and bold
  • 15. And here? Title in white and bold
  • 16. Automatic “What-if” => Best Fix Location Max-Flow-Min-Cut (http://en.wikipedia.org/wiki/Max-flow_min-cut_theorem_ Title in white and bold
  • 17. Simplifying the graph – step 1 - grouping Title in white and bold
  • 18. Simplifying the graph – step 2 – homeograph’ing (http://enc.tfode.com/Homeomorphism_(graph_theory)) Title in white and bold
  • 19. Simplifying the graph - output Title in white and bold
  • 20. Simplifying the graph - output Title in white and bold
  • 21. Compare the three Title in white and bold Space Invader
  • 22. Benefits • Gives you the correlation between findings of the same type (SQLi) and different types. • You are not dealing with individual findings – but with a complete system •Title inyour time bold Use white and better
  • 23. Thank you Title in white and bold maty@checkmarx.com

Hinweis der Redaktion

  1. That’s a data flow and how each step is reflected at the source code.
  2. And then we might have dozens of paths. How can we gain some more information?
  3. Let’s combine them together
  4. So this place is probably better. More paths get fixed
  5. If I fixed that point, what parts will be OK?
  6. And what about this one in here?
  7. So by fixing only three places in the code, we were able to fix…
  8. So by fixing only three places in the code, we were able to fix…
  9. So by fixing only three places in the code, we were able to fix…
  10. So by fixing only three places in the code, we were able to fix…
  11. So by fixing only three places in the code, we were able to fix…
  12. … this.