Sinking Your Hooks in Applications
Joe Rozner, Richard Meester at AppSec USA 2015
Attackers typically have more compute resources and can spend much more time breaking components of applications than the engineers that write them in the first place. Since the pressure is on developers to release new code, even at the expense of security best practices, expecting all application vulnerabilities to be detected and remediated in advance of an application’s release is unrealistic to say the least.
One approach to combat this is to automatically build more security into the applications themselves. In this talk, the speakers will demonstrate some techniques to leverage the hooking of potentially vulnerable code paths in production applications and injecting code to introduce additional layers of security without requiring developers to write any code or recompile the applications. Specific examples will be given of hooking Java, .NET and Ruby frameworks.
Richard Meester
Software Engineer, Prevoty
Richard's primary focus is developing solutions for XSS/SQLi detection and protection in the .NET framework.
Joe Rozner
Software Engineer, Prevoty
Joe Rozner is a software engineer at Prevoty where he has built semantic analysis tools, worked to develop new methods to more accurately detect SQL injection and Cross Site Scripting (XSS), and designed novel integration technology leveraging runtime patching.
One approach to combat this is to automatically build more security into the applications themselves. In this talk, the speakers will demonstrate some techniques to leverage the hooking of potentially vulnerable code paths in production applications and injecting code to introduce additional layers of security without requiring developers to write any code or recompile the applications. Specific examples will be given of hooking Java, .NET and Ruby frameworks.
Richard Meester
Software Engineer, Prevoty
Richard's primary focus is developing solutions for XSS/SQLi detection and protection in the .NET framework.
Joe Rozner
Software Engineer, Prevoty
Joe Rozner is a software engineer at Prevoty where he has built semantic analysis tools, worked to develop new methods to more accurately detect SQL injection and Cross Site Scripting (XSS), and designed novel integration technology leveraging runtime patching.