AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Thursday, January 23 • 1:15pm - 1:50pm
Vendor Spotlight Talk: Shiftleft: Beyond the Top 10: Finding Business Logic Flaws, Data Leakage and Hard-Coded Secrets in Development

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many SAST solutions that can identify these technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic, data leakage or hard-coded secrets.

While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code-base, pattern-matching is not sufficient for business logic, data leakage or hard-coded secrets because these issues are unique to each code-base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.

This presentation will cover:
  1. Identifying sensitive data variables and mapping their flows across all sources and sinks
  2. Finding the conditions leading to business logic flaws
  3. Identifying hard-coded secrets and literals in source code such as usernames, passwords, tokens and API keys
  4. How-to insert the above security checks into pull requests or builds w/o slowing releases down


Arun Balakrishnan

Director of Product Management, ShiftLeft

Thursday January 23, 2020 1:15pm - 1:50pm PST
Sand and Sea Room