We all use generic tools such as SAST and DAST, but they miss out on security issues that are unique to our business logic, don’t recognize our custom security mechanisms, and might miss vulnerabilities if the exploitation flow is too complex.

Is it possible to have a security solution that is both tailored to our application and doesn’t require enormous effort?

(If the answer was no that would be a pretty short and boring talk!)

In this session we’ll see how with simple syntax and just a few lines of rule code we can create custom security tests that achieve our goals of being specific and efficient.

The customization approach offers a precise solution by placing control in the engineer’s hands. It empowers them to:

1. Focus on App-Specific Vulnerabilities: Crafting custom security rules specifically designed for the application's unique architecture and functionalities. For instance, looking for unique issues that stem from the application’s business logic, such as flows involving payment or booking.
2. Verify custom security mechanisms: When unique sanitization or authorization flows are needed in the application, and we want to verify their implementation across the app.
3. Find generic, but hard to discover, vulnerabilities: Sometimes generic scanning tools miss out on complex, although generic, vulnerabilities. For instance, a complex SSRF flow, or a verification of key rotation. With customized tests we can check for those issues that generic tools might miss.

Most importantly, we can take care of continuous verification and regression testing of the issues mentioned above by integrating those scans into the CI/CD process, so they’ll be checked on an ongoing basis with a simple one-time effort.

The demonstrations in this talk will utilize the simple rule syntax provided by the free, open-source, tools: Semgrep and Nuclei.

Through hands-on examples and practical demonstrations, we will illustrate how these tools put control back into the hands of security experts, enabling us to enhance application security effectively and efficiently.

This talk caters to anyone involved in application security, including software engineers, and provides insights into the advantages of taking a customized approach to addressing application security challenges.