How To Find The Next Great Deserialization CVE
Arshan Dabirsiaghi at AppSec USA 2016
The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE.
The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.
The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.
Arshan Dabirsiaghi
Chief Scientist, Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security assurance work, including code reviews, architecture reviews and penetration testing.
The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.
The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.
Arshan Dabirsiaghi
Chief Scientist, Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security assurance work, including code reviews, architecture reviews and penetration testing.