11:30 – 11:45 Lunch and good of the order
11:45 – 12:00 OWASP News and notes
12:00 – 1:00 Featured presentation: Building Effective Language Parsers for Penetration Testers with John Toterhi.
Today’s static code analyzers cater heavily to development teams. They place a high emphasis on code quality, stylistic patterns, and minimizing cognitive complexity. While many of these solutions are exceptional at aiding in the reduction of technical debt – bugs and critical vulnerabilities continue to find their way into deployed systems.
In this talk, we’ll discuss a process for creating scriptable language parsers geared towards web app penetration testers. This class of parser aims to reduce the amount of time pen testers spend on mundane and repetitive triage so they can focus on complex, difficult-to-find bugs and vulnerabilities. You’ll learn how to effectively parse formal languages, how to deal with ambiguity, and why parsing code with regular expressions is like bringing a knife to a gun fight.
John is a security researcher focusing on building automated vulnerability discovery tools for a variety of applications and missions. He organizes and develops content for the Columbus-based Cyber Offensive / Defensive Engineering (CO/DE) group – developing free and inclusive advanced cybersecurity workshops for individuals and teams looking to build and strengthen their skill sets.
John currently works with the Cyber Physical Systems group at Systems & Technology Research (STR) and previously worked with Finite State, Battelle’s Mission Focused Tools Team and the National Air and Space Intelligence Center (NASIC) Malware Analysis Flight.