The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many SAST solutions that can identify these technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic, data leakage or hard-coded secrets.
While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code-base, pattern-matching is not sufficient for business logic, data leakage or hard-coded secrets because these issues are unique to each code-base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.
This presentation will cover:
- Identifying sensitive data variables and mapping their flows across all sources and sinks
- Finding the conditions leading to business logic flaws
- Identifying hard-coded secrets and literals in source code such as usernames, passwords, tokens and API keys
- How-to insert the above security checks into pull requests or builds w/o slowing releases down
