Tuesday, January 24 • 3:30pm - 4:20pm
A Hybrid Approach for Web App Penetration Testing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

According to Symantec Internet Security Threat Report 2016, 78% of scanned websites have vulnerabilities, of which one in seven is deemed critical. After spending years working as a web app penetration tester across both the private and public sector, it quickly became apparent that relying exclusively on automated scanning tools was not sufficient. In order to accurately demonstrate what an adversary would be capable of, we needed to develop a new way of assessing web applications, which combines both automated tools and more importantly, manual testing.

In the Cyber Security world, one may be inclined to believe that automated scanners are superior at vulnerability discovery; however, humans are actually much better at accurately identifying vulnerabilities. It has been our observation that nearly half of the vulnerabilities identified in our security assessments were not detected by vulnerability scanners, but rather identified through manual testing. As many organizations rely heavily on vulnerability scanners to discover vulnerabilities, it’s important to not gain a false sense of security based on scanner results alone as scanners often overlook logical errors.

This presentation will capture a new methodology that aims at taking a hybrid approach to web app penetration testing by integrating both automated and manual testing together. We will cover the use of interception proxies for manual testing as well as IDS/IPS evasion techniques. Lastly, we will close the talk with a live demo which demonstrates the necessity for a hybrid approach to web app penetration testing.

avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Tuesday January 24, 2017 3:30pm - 4:20pm PST
Marion Davies Guest House