Search

12-13 October 2023 | Houston

PRESENTATION: Scanning is easy, crawling is the hard part | October 12, 2023 at 3:00 PM-3:45 PM CT

The innovations in web development technology & designs have revolutionised the digital landscape, enhancing user experiences, but consequently introducing complex hurdles in application security testing, particularly in the realm of application crawling.

In this session, we dissect the multilayered challenges and potential solutions in application crawling across a broad spectrum.

We commence by revisiting the foundations of dynamic application security testing (DAST) within the context of traditional web applications. We focus on crawling and why I believe this is where the real innovation is happening as we move away from traditional client/server models to a more of a discover/crawl model.

Traversing the evolution of web applications, we will highlight the transition to APIs and SPAs, emphasizing the compounding complexities these technologies introduce, from handling multi-step transactions and maintaining application state, to interpreting various API styles and dealing with client-side rendered content.

Crucial to this discussion is the intricacy of crawling while authenticated to cast the widest net. After all, most of the juicy parts of the internet are locked behind an identity check. We’ll delve into the difficulties of maintaining session state, bypassing CSRF protections, and dealing with multi-factor authentication, while triaging and analysing real world use-cases of mistakes I’ve made and the solutions implemented.

Moving forward, we chart the potential role of artificial intelligence (AI) in navigating these complexities. Leveraging AI for sophisticated browser-based crawling in SPAs and for predicting likely API endpoints. We’ll explore how AI can not only improve the efficiency of application crawling but also learn and adapt to evolving web technologies and security challenges.

Speaker: David Kennefick, Global Engineering Principal | Edgescan

David started his career in AML for an Irish bank and then as a developer for accessibility tools for dyslexic and low vision users. He has had a core focus of technology security since 2012. He has lead hundreds and contributed to thousands of security engagements ranging from: red team exercises such as penetration testing, DDoS testing, phishing and blue team exercises such as architecture and hardening reviews, app-sec process design, incident triage, forensics. His core focus nowadays is pushing the envelope in Application & API testing with a passion for making security technologies that are accessible for all users. David lives in downtown Dublin City, with his partner and 3 cats.