Vulnerabilities that Hide from Your Tools

Explore methodologies for uncovering hidden vulnerabilities in application security during this conference talk from NDC Security 2022. Delve into the limitations of automated tools and learn how to identify vulnerabilities that often escape detection. Discover the differences between static and dynamic analysis, and understand the importance of examining business logic, weak passwords, configuration errors, and potential denial of service attacks. Investigate the risks posed by rogue developers, cryptography disasters, and human factors in security. Learn to spot secrets in unexpected places, handle false negatives, and address sensitive data exposure. Examine insecure APIs, third-party integrations, and the significance of threat modeling. Gain insights into full-circle development practices, preventive measures, and the value of security education. Explore the importance of vetting processes and default configurations in maintaining robust application security.

Introduction
About Jillian
AppSec Tools
Static vs Dynamic Analysis
Business Logic
Weak or reused passwords
Configuration whoopsies
Denial of Service
Rogue Developers
Cryptography Disaster
Humans
Secrets in Strange Places
False Negatives
Sensitive Data Exposure
Insecure APIs
ThirdParty Integration
No Naps
Lord Varus Approach
Threat Modeling
Full Circle Development
A Pound of Cure
Education
Default Configurations
Background Checks
Vet the Spies
Questions