Скачать или смотреть Hidden Vulnerabilities in “Secure” Code and Why You Need SAST | Roman Bohuk

00:00 - Welcome!
00:11 - Writing code for CTFs (secure and intentionally insecure)
00:43 - Agenda
00:57 - Example: vulnerable nodejs application
02:12 - Example: php
03:25 - Example: python
04:54 - Example: C
06:25 - Example: php password strcmp
09:06 - Example: python yaml configuration
10:19 - Why secure coding is hard
11:35 - Solutions?
12:49 - Why use SAST?
13:48 - Static Application Secure Testing (SAST)
14:16 - Software Composition Analysis/Static Code Analysis/Source Code Analysis (SCA)
14:59 - Dynamic Application Security Testing (DAST)
15:54 - Interactive Application Security Testing (IAST)
16:20 - How does SAST work?
19:17 - Types of findings
19:46 - SAST Strengths
20:32 - SAST Weaknesses
21:43 - Picking the right tool
23:08 - Q: Sources other than OWASP for SAST tools? Snyk
24:24 - Q: How to encourage implementation of OWASP guidelines?
24:37 - A: Organization culture, training
25:36 - Q: Same evaluation for DAST and IAST?
A: Possibly. More familiar with SAST
26:19 - Q: Any plans to create MetaCTF Secure Code Challenges?
A: There are some challenges where you can see the code, in the future, may be able to alter code.
27:12 - Q: How to build a comprehensive SBOM?
A: Commercial SAST tool should have SBOM built in.
27:51 - Q: How to achieve your level of expertise?
28:13 - A: Just seem like I know a lot because I’m comfortable with the topic.
28:39 - Countering imposter syndrome - follow your passion
30:38 - Q: AI applications to your field?
A: Yes, as an assist. Many SAST tools use AI on the back end.
31:45 - Free challenges on MetaCTF website, upcoming CTFs, Shmoocon ticket contest


/// 📄 View our Pay-What-You-Can Courses
https://www.antisyphontraining.com/pa...
 
/// 📄 View the Antisyphon Course Catalog
https://www.antisyphontraining.com/co...

/// 📄 View Our Live Training Course Calendar
https://www.antisyphontraining.com/tr...
 
/// 📄 Antisyphon Training Roadmap
https://www.antisyphontraining.com/tr...

///Antisyphon Socials
Twitter:   / antisy_training  
Mastodon: https://infosec.exchange/@Antisy_Trai...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

///Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/tr...
On Demand Training: https://www.antisyphontraining.com/on...

///Antisyphon Shirts
https://spearphish-general-store.mysh...

///Educational Infosec Content
Black Hills Infosec YouTube:    / blackhillsinformationsecurity  
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Active Countermeasures YouTube:    / activecountermeasures  

///Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/

#bhis #antisyphon #infosec #CyberSecurity #training