AppSecCali 2019 - Pose a Threat: How Perceptual Analysis Helps Bug Hunters

Gwv29depW9o/default.jpg

Every picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we're looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis.

This talk is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface. Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates.

Come watch the revolution unfold with new ways to:
* Distribute requests to targets and paths using scalable serverless infrastructure
* Screenshot results with unlimited storage and organize them by visual similarity
* Automate identification of more exposures more quickly using collaborative filtering

Focus these techniques on identifying RCEs and you now have a formidable weapon. In conclusion, this approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.

Speakers

Rob Ragan
Partner, Bishop Fox
Rob Ragan is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. Rob focuses on client solutions and relationships. He also oversees red teaming and continuous security automation development.

Oscar "One Line Man" Salazar
Managing Security Associate, Bishop Fox
Oscar Salazar is a Principle at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on continuous security assessment, red teaming, application penetration testing, source code.

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...

Gwv29depW9o/default.jpg
AppSecCali 2019 - Pose a Threat: How Perceptual Analysis Helps Bug Hunters AppSecCali 2019 - Pose a Threat: How Perceptual Analysis Helps Bug Hunters Reviewed by Anonymous on March 19, 2019 Rating: 5