Room 4 

15:00 - 16:00 


Talk (60 min)

No Size Fits All: Empowering Engineers with Custom Application Security tests

The best software security solutions to our security requirements and challenges are specific to our use case, self-service and don't impede development velocity.

Application Security
Security Tooling

We all use generic tools such as SAST and DAST, but they miss out on security issues that are unique to our business logic, don’t recognize our custom security mechanisms, and might miss vulnerabilities if the exploitation flow is too complex.

Is it possible to have a security solution that is both tailored to our application and doesn’t require enormous effort?

(If the answer was no that would be a pretty short and boring talk!)

In this session we’ll see how with simple syntax and just a few lines of rule code we can create custom security tests that achieve our goals of being specific and efficient.

The customization approach offers a precise solution by placing control in the engineer’s hands. It empowers them to:

1. Focus on App-Specific Vulnerabilities: Crafting custom security rules specifically designed for the application's unique architecture and functionalities. For instance, looking for unique issues that stem from the application’s business logic, such as flows involving payment or booking.
2. Verify custom security mechanisms: When unique sanitization or authorization flows are needed in the application, and we want to verify their implementation across the app.
3. Find generic, but hard to discover, vulnerabilities: Sometimes generic scanning tools miss out on complex, although generic, vulnerabilities. For instance, a complex SSRF flow, or a verification of key rotation. With customized tests we can check for those issues that generic tools might miss.

Most importantly, we can take care of continuous verification and regression testing of the issues mentioned above by integrating those scans into the CI/CD process, so they’ll be checked on an ongoing basis with a simple one-time effort.

The demonstrations in this talk will utilize the simple rule syntax provided by the free, open-source, tools: Semgrep and Nuclei.

Through hands-on examples and practical demonstrations, we will illustrate how these tools put control back into the hands of security experts, enabling us to enhance application security effectively and efficiently.

This talk caters to anyone involved in application security, including software engineers, and provides insights into the advantages of taking a customized approach to addressing application security challenges.

Michal Kamensky

Michal is a security researcher at Bounce Security - a boutique security consultancy where she works on projects to help clients build software securely from the start. She particularly enjoys diving into a new domain and learning it inside out as well as sharing her knowledge with the community.
In her spare time, she is a student of computer science and math, volunteers at the Hackeriot initiative and she also enjoys playing chess, following artistic and rhythmic gymnastics and is the lucky human of a ginger tabby cat named Unix.