Scaling-up and Automating Web Application Security Tech Talk

Jun 27, 20172 likes2,003 views

These are the slides for the Tech Talk that Netsparker's CEO Ferruh Mavituna delivered at Infosecurity Europe in London. During the presentation, Ferruh first talks about the three stages of the vulnerability detection process: Discovery Identify Automate Then he explained the pre-scan and post-scan challenges of automating the vulnerability detection process, such as; configuring authenticated scans, URL Rewrites, manually verifying false positives and much more. Ferruh also explains how today’s technology allows us to overcome most of these challenges and as he says Automate what can be automated. You can watch the presentation here: https://www.netsparker.com/blog/web-security/infosecurity-europe-tech-talk-automating-web-security/

Ferruh Mavituna, CEO
Scaling-Up &
Automating Web
Application Security
Netsparker

Scaling-Up and Automating Web Application Security
Discover

Scaling-Up and Automating Web Application Security
• Public Websites
• Mission Critical
• Temporary (i.e. short-term marketing websites)
• Managed by 3rd party
• Internal Websites
• Mission Critical
• Developed in house
• Developed by a 3rd party
• Hardware Management Interfaces
• Staging Websites
• Actively Developed
• 3rd party & will be deployed
Discover & Prioritize

Scaling-Up and Automating Web Application Security
• Process
• Internal asset management
• Introducing a process & policy
• Automated Discovery
• Effectively smart “port scanning”
Discover & Prioritize

Scaling-Up and Automating Web Application Security
Identify

Scaling-Up and Automating Web Application Security
• Configuration Issues
• TLS, Web Server, Unnecessary features…
• Known Vulnerabilities and Out-of-date Dependencies
• Known vulnerabilities in known applications and dependencies
• Out-of-date JS libraries, modules, dependencies, frameworks…
• Unknown Vulnerabilities (zero-days)
• SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet
• Lack of Security Best Practice and Proactive Measures
• CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources
etc.
Identify Vulnerabilities

Scaling-Up and Automating Web Application Security
Automate

Scaling-Up and Automating Web Application Security
• Automation excels at
• Scaling
• Being consistent
• Enforcing checks
• Finding majority of vulnerabilities
• Eliminating human-errors on repeated checks
• Limitations of automation
• Logical issues
• Extremely design specific & platform specific issues
• Discovering all the flows & processes in websites
Automation

Scaling-Up and Automating Web Application Security
“Automate what can
be automated”

Scaling-Up and Automating Web Application Security
Automation
Challenges

Scaling-Up and Automating Web Application Security
• Authenticated Scans
• URL Rewrite
• Custom 404 Pages
• Form Values
Pre-scan Challenges

Scaling-Up and Automating Web Application Security
• False Positive
• Correlating Results
• Hot-patching vulnerabilities in WAF level
Post-scan Challenges

Scaling-Up and Automating Web Application Security
• How many of the identified vulnerabilities are real?
• What’s the real risk?
• How long would it take to review all vulnerabilities to see which are
False Positives?
• What kind of technical expertise do you need to accomplish this?
10,000 Issues have been identified, Now what?

Scaling-Up and Automating Web Application Security
“Automation without
accuracy cannot scale”

Scaling-Up and Automating Web Application Security
• How is it done manually?
• Can it be automated?
Elimination of False Positives

Scaling-Up and Automating Web Application Security
“If it’s exploitable it
cannot be a false
positive”

Scaling-Up and Automating Web Application Security
• Securing thousands of web applications is possible
• Automate what can be automated
• Use the right tools for the job
• Understand what automation can and cannot do
• Plan for the long term
• Challenge the norm
Conclusion

These slides were prepared by Ziyahan Albeniz for the presentation "Make CSRF Great Again" which he delivered at the NOPcon on the 11th of May 2017. In this presentation Netsparker's security reseacher Ziyahan explains all the technical details and the ins & outs of the CSRF attack. During the presentation Ziyahan also uses two real live CSRF issues, one in Yandex browser and one in Grammarly online service, which he discovered as an example. The video of the full presentation in Turkish is available here: https://www.youtube.com/watch?v=5bDbZ7_mjng

Secure PHP CodingNarudom Roongsiriwong, CISSP

Owasp security testing methodlogies –part2robin_bene

The document discusses testing identity management and authentication in web applications. It provides examples of test cases to evaluate user registration, enumeration, provisioning, roles and permissions. Tests are suggested to check if strong password policies are enforced, credentials are securely transmitted, and common authentication vulnerabilities like default credentials or bypassing authentication mechanisms can be exploited. The document demonstrates how tools like Burp Suite and Wireshark can aid in manual testing of identity and authentication features.

Secure code practicesHina Rawal

OWASP Top Ten 2017Michael Furman

The document discusses the OWASP Top Ten project, which identifies the 10 most critical web application security risks. It provides an overview of OWASP, describes the Top 10 risks from 2013 and 2017, and explains changes between the two versions. For each risk, it gives a brief example and recommendations for prevention. The key topics covered are injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of vulnerable components, and insufficient logging/monitoring.

OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast

Technology First 16th Annual Ohio Information Security Conference OISC 2019 #OISC19 The OWASP Top 10 & AppSec Primer By Matt Scheurer (@c3rkah) Dayton, Ohio Date: 03/13/2019 Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

Web Application Security with PHPjikbal

Same-origin Policy (SOP)Netsparker

The document discusses various techniques for circumventing the same-origin policy (SOP) in web browsers, which aims to isolate documents retrieved from different origins for security reasons. It provides an overview of SOP and defines what constitutes the same origin. It then examines several methods for enabling cross-origin communication, such as JSONP, CORS headers, modifying the document.domain property in JavaScript, and using the postMessage API, noting security risks with improperly implementing these techniques. Code examples are provided to demonstrate JSONP and postMessage.

Application Security ToolsLalit Kale

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

Web Security AttacksSajid Hasan

Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures. A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.

Presentation on Web AttacksVivek Sinha Anurag

Api security-testingn|u - The Open Security Community

1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on. 2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side. 3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.

OWASP TOP 10Robert MacLean

The OWASP top 10 is a list of the most prolific security issues facing web developers today. In this talk, Robert, will take you through all 10 and demonstrate the problems (we will hack for real… in a safe way) and talk about the solutions. This is an introductory talk, so no prior experience is needed in web dev or security. Not doing web dev? Many of these apply to all development! So join in for a lively session of demos, learning and fun Video of this talk: https://www.youtube.com/watch?v=p5YCHNnQNyg

Security Testing - Zap ItManjyot Singh

This document introduces security testing using OWASP ZAP (Zed Attack Proxy). It discusses the OWASP Top 10 security risks including injection, XSS, command injection, brute force attacks, insecure direct object references, and CSRF. It demonstrates how ZAP can be used to test for these vulnerabilities on a sample application. Prevention techniques are also provided for each risk, such as parameterized queries, output encoding, access control, account lockouts, and CSRF tokens.

Learn to pen-test with OWASP ZAPPaul Ionescu

Bypassing Web Application Firewalls and other security filtersNetsparker

These slides were used for the live demo, Netsparker's security researcher Sven Morgenroth gave during episode 526 of Paul's Security Weekly. During the live demo Sven shows how to bypass web application firewalls and highlight the importance of fixing vulnerabilities in web applications, regardless of how many layers of security you have protecting your web application. Watch the live demo at the following URL: https://www.netsparker.com/blog/web-security/live-demo-web-application-firewall-bypass/

[Wroclaw #6] Introduction to desktop browser add-onsOWASP

This document discusses browser add-ons such as themes and extensions, the moderation process for extensions, and common vulnerabilities in extensions. The moderation process involves checking metadata, acceptance criteria like functionality and permissions, and static code review. Vulnerabilities discussed include using external scripts, eval() to parse JSON, untrusted data in event handlers, innerHTML, and bugs in third party libraries. The document provides good practices for developers to avoid these vulnerabilities.

Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu

Technical Architecture of RASP TechnologyPriyanka Aash

Penetration testing web application web application (in) securityNahidul Kibria

Owasp top 10 2017ibrahimumer2

The OWASP Top 10 is a list published by OWASP that contains the ten most critical security vulnerabilities that threaten web applications. The document discusses the top 10 vulnerabilities including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. Prevention methods are provided for each vulnerability.

Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts

Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents. Zero Buzzwords Guaranteed. Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24

Web attackshusnara mohammad

This document discusses techniques for reconnaissance, vulnerabilities, and attacks related to cybersecurity. Reconnaissance techniques covered include war dialing, war driving, port scanning, probing, and packet sniffing. Vulnerabilities explored are backdoors, code exploits, eavesdropping, indirect attacks, and social engineering. Attacks analyzed involve password cracking, web attacks, physical attacks, worms/viruses, logic bombs, buffer overflows, phishing, bots/zombies, spyware/malware, hardware keyloggers, eavesdropping/playback, and DDoS. Each topic provides details on method, motivation, detection, and defense.

OWASP Secure Codingbilcorry

Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.

Rapid Android Application Security TestingNutan Kumar Panda

Application security in a hurry webinarkdinerman

mastering_web_testing_how_to_make_the_most_of_frameworks.pdfsarah david

More Related Content

What's hot (20)

Web Application Security with PHPjikbal

Same-origin Policy (SOP)Netsparker

Application Security ToolsLalit Kale

Web Security AttacksSajid Hasan

Presentation on Web AttacksVivek Sinha Anurag

Api security-testingn|u - The Open Security Community

OWASP TOP 10Robert MacLean

Security Testing - Zap ItManjyot Singh

Learn to pen-test with OWASP ZAPPaul Ionescu

Bypassing Web Application Firewalls and other security filtersNetsparker

[Wroclaw #6] Introduction to desktop browser add-onsOWASP

Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu

Technical Architecture of RASP TechnologyPriyanka Aash

Penetration testing web application web application (in) securityNahidul Kibria

Owasp top 10 2017ibrahimumer2

Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24

Web attackshusnara mohammad

OWASP Secure Codingbilcorry

Rapid Android Application Security TestingNutan Kumar Panda

Web Application Security with PHPjikbal

Same-origin Policy (SOP)Netsparker

Application Security ToolsLalit Kale

Web Security AttacksSajid Hasan

Presentation on Web AttacksVivek Sinha Anurag

Api security-testingn|u - The Open Security Community

OWASP TOP 10Robert MacLean

Security Testing - Zap ItManjyot Singh

Learn to pen-test with OWASP ZAPPaul Ionescu

Bypassing Web Application Firewalls and other security filtersNetsparker

[Wroclaw #6] Introduction to desktop browser add-onsOWASP

Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu

Technical Architecture of RASP TechnologyPriyanka Aash

Penetration testing web application web application (in) securityNahidul Kibria

Owasp top 10 2017ibrahimumer2

Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24

Web attackshusnara mohammad

OWASP Secure Codingbilcorry

Rapid Android Application Security TestingNutan Kumar Panda

Similar to Scaling-up and Automating Web Application Security Tech Talk (20)

Application security in a hurry webinarkdinerman

mastering_web_testing_how_to_make_the_most_of_frameworks.pdfsarah david

mastering_web_testing_how_to_make_the_most_of_frameworks.pptxsarah david

Top 6 Web Application Security Best Practices.pdfSolviosTechnology

Web Application Penetration Testing Course in 2025.pdfdaksh908982

Web Application Security - Everything You Should KnowNarola Infotech

The Complete Web Application Security Testing ChecklistCigital

Did you know that the web is the most common target for application-level attacks? That being said, if you have ever been tasked with securing a web application for one reason or another, then you know it’s not a simple feat to accomplish. When securing your applications, it’s critical to take a strategic approach. This web application security testing checklist guides you through the testing process, captures key testing elements, and prevents testing oversights. Tailor your approach and ensure that your testing strategy is as effective, efficient, and timely as possible with these six steps:

Web App Security: Top Threats and How to Protect Your App.pdfNathan Smith

This guide provides a concise overview of the most common security threats facing modern web applications, including SQL injection, cross-site scripting (XSS), and authentication vulnerabilities. It also outlines practical strategies and best practices to mitigate these risks, helping developers and organizations build more secure, resilient apps. Ideal for professionals seeking to strengthen their cybersecurity posture, this PDF offers clear, actionable insights to safeguard web applications in an increasingly hostile digital environment.

AppTrana SECaaS (Security as a Service)IndusfacePvtLtd

7 measures to overcome cyber attacks of web applicationTestingXperts

In recent years, the cyber-attacks have become rampant across computer systems, networks, websites and have been most widely attacking enterprises’ core business web applications, causing shock waves across the IT world.It is critical to follow a cyber-security incident response plan and risk management plan to overcome cyber threats and vulnerabilities. Evidently, CXOs need to leverage web application security testing and penetration testing to overcome the possible attacks on their business applications and systems

Essentials of Web Application Security: what it is, why it matters and how to...Cenzic

Application Security - Your Success Depends on itWSO2

Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase. In this session, Dulanja will discuss the following: The importance of application security - why network and OS security is insufficient. Challenges in securing your application. Making security part of the development lifecycle.

FireHost Webinar: Protect Your Application With Intelligent SecurityArmor

Application security in a hurry webinarkdinerman

PWAs For Finance Guide_ How To Create A PWA Fintech App.pdfLucas Lagone

Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan

The document discusses a workshop on web application security using IBM Rational AppScan. It introduces the importance of securing web applications and provides an overview of common vulnerabilities like cross-site scripting and SQL injection. The workshop aims to help attendees understand application security risks and how to use AppScan to automate vulnerability scanning and analysis. Hands-on labs are included to demonstrate AppScan's vulnerability detection capabilities.

How to Build a Robust Web Application in 2024.pdfsarah david

Web Application Security.pptxGenic Solutions

The Importance of Security Testing in Web Applications.docxQACraft

Application Security Program Management with Vulnerability ManagerDenim Group

The document discusses application security program management and Vulnerability Manager. It describes the challenges of application security scanning and remediation, including that vulnerabilities often persist for months. Vulnerability Manager aims to address this by automating the import of scan data, generating virtual patches, and integrating with defect tracking systems. The presentation demonstrates Vulnerability Manager's core features and future plans to further develop the tool and metrics for measuring security maturity.

Application security in a hurry webinarkdinerman

mastering_web_testing_how_to_make_the_most_of_frameworks.pdfsarah david

mastering_web_testing_how_to_make_the_most_of_frameworks.pptxsarah david

Top 6 Web Application Security Best Practices.pdfSolviosTechnology

Web Application Penetration Testing Course in 2025.pdfdaksh908982

Web Application Security - Everything You Should KnowNarola Infotech

The Complete Web Application Security Testing ChecklistCigital

Web App Security: Top Threats and How to Protect Your App.pdfNathan Smith

AppTrana SECaaS (Security as a Service)IndusfacePvtLtd

7 measures to overcome cyber attacks of web applicationTestingXperts

Essentials of Web Application Security: what it is, why it matters and how to...Cenzic

Application Security - Your Success Depends on itWSO2

FireHost Webinar: Protect Your Application With Intelligent SecurityArmor

Application security in a hurry webinarkdinerman

PWAs For Finance Guide_ How To Create A PWA Fintech App.pdfLucas Lagone

Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan

How to Build a Robust Web Application in 2024.pdfsarah david

Web Application Security.pptxGenic Solutions

The Importance of Security Testing in Web Applications.docxQACraft

Application Security Program Management with Vulnerability ManagerDenim Group

Recently uploaded (20)

MOBILE PHONE DATA presentation with all necessary detailsbenamorraj

simple-presentationtestingdocument2007.pptxashokjayapal

rosoft PowcgnggerPoint Presentation.pptxsirbabu778

AI theory work for students to understand the logicareeba15775n

UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation17218

How to Make Money as a Cam Model – Tips, Tools & Real TalkCam Sites Expert

Want to turn your charm, confidence, and camera into a real source of income? This presentation reveals everything you need to know about making money as a cam model — whether you're just starting out or looking to boost your earnings. From choosing the right platform, building your fanbase, and setting up your cam space, to marketing yourself and creating passive income with clips, this guide covers it all. I’ll also share real-world insights from my experience on CamsRating.com. No BS — just proven tips, smart tools, and sexy strategies to get paid doing what you love.

What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...CartCoders

Vigilanti-Cura-Protecting-the-Faith.pptxsecretarysocom

On the 29th of June, 1936, Pius XI addressed a pontifical encyclical entitled "Vigilanti Cura" to all the Catholic bishops in the United States. This encyclical was dedicated to "The Motion Picture" and justified his intervention by "the lamentable progress of the motion picture art and industry in the portrayal of sin and vice". I've appropriated the title of his encyclical for my film, putting it to a completely different use to that originally intended. The 'photogenic quality' of the Latin terminology has, however, been preserved and, as per Adorno: "like a neon light which has just been switched on, the commercial and promotional nature of contemporary culture glows brightly". Vigilanti Cura is an irreverent film; insolent and deliberately confusing; a grab-bag of immorality. The montage combines a range of archival imagery from Humanite magazine with images sourced from the media (the military parade of the 14th of July, the current sorry crop of political celebrities ...) or from the cinema (the automatic writing of a puzzle composed of motifs borrowed from existing films). Vigilanti Cura ... or merely a tacit admission of the downfall of contemporary man, drowning in a sea of political, social and religious fundamentalisms. Where is he to be found? Locked in a vis-a-vis with depression and ego. Psychoanalysis no longer serves as a pretext for the dissolution of sexual and social taboos; it now provokes withdrawal into an auto-reflexive isolation, to the extent that societal problems get frozen in the mirror of Auto-Medusification. The mirror has become our idol - let's destroy it!

Internet_of_Things_Presentation_by-Humera.pptxcshumerabashir

ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackAPNIC

10 Latest Technologies and Their Benefits to End.pptxEphraimOOghodero

Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxsecretarysocom

On Dec. 4, 1963, the Second Vatican Council solemnly approved its first two documents: the constitution on the Sacred Liturgy, Sacrosanctum Concilium, and the decree Inter Mirifica, regarding the mass media. The latter document is much less known than the former one. Nonetheless, Inter Mirifica offers some crucial principles to guide us in a world where we find ourselves ever more immersed in mass communication: the press, film, television, along with the newer forms of media. During the preparation for Vatican II, the Church keenly realized the importance of this topic, and Pope John XXIII established a special body to work on a text that might articulate the Church’s teaching on the mass media and promote her action in this area. The result of this work was an extensive document, entitled “On the instruments of social communication,” which was presented to the Council on Nov. 23, 1962.

Quantiuwewe e3er14e we3223 32222 m2.pptxcyberesearchprof

Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfBehzad Hussain

𝐏𝐚𝐭𝐞𝐧𝐭 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝗣𝗮𝘁𝗲𝗻𝘁 𝗡𝗼.: US9767157B2 𝗧𝗶𝘁𝗹𝗲: Predicting Site Quality 𝗔𝘀𝘀𝗶𝗴𝗻𝗲𝗲: Google Inc., Mountain View, CA 𝗜𝗻𝘃𝗲𝗻𝘁𝗼𝗿𝘀: Navneet Panda; Yun Zhou 𝗜𝘀𝘀𝘂𝗲 𝗗𝗮𝘁𝗲: September 19, 2017 𝐀𝐛𝐬𝐭𝐫𝐚𝐜𝐭 This patent describes methods and systems for automatically predicting a quality score for a website (or “site”) that can be used as a ranking signal in search engines: 1. 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝘀𝗶𝘁𝗲 𝗾𝘂𝗮𝗹𝗶𝘁𝘆 𝘀𝗰𝗼𝗿𝗲𝘀 obtained for previously scored sites. 2. 𝗣𝗵𝗿𝗮𝘀𝗲 𝗺𝗼𝗱𝗲𝗹𝘀 that map phrase-specific relative frequency measures to baseline quality scores. 3. 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗲 𝘀𝗰𝗼𝗿𝗶𝗻𝗴 of a new site by applying the phrase model to its phrase frequencies and then predicting its overall site quality score from the aggregate. 𝐒𝐲𝐬𝐭𝐞𝐦 𝐀𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐞 (𝐅𝐢𝐠. 𝟏) 1. 𝗨𝘀𝗲𝗿 𝗗𝗲𝘃𝗶𝗰𝗲 & 𝗡𝗲𝘁𝘄𝗼𝗿𝗸: Users submit queries via a device (e.g., browser) over a network. 2. 𝗦𝗲𝗮𝗿𝗰𝗵 𝗦𝘆𝘀𝘁𝗲𝗺: Contains an Indexing Engine (builds the index database) and a Ranking Engine (ranks results). 3. 𝗦𝗶𝘁𝗲 𝗦𝗰𝗼𝗿𝗶𝗻𝗴 𝗘𝗻𝗴𝗶𝗻𝗲: Computes site quality scores using the phrase model and provides these scores to the ranking engine as part of the ranking signals. 𝐏𝐡𝐫𝐚𝐬𝐞 𝐌𝐨𝐝𝐞𝐥 𝐆𝐞𝐧𝐞𝐫𝐚𝐭𝐢𝐨𝐧 (𝐅𝐢𝐠. 𝟐) 1. 𝗧𝗼𝗸𝗲𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗻-𝗴𝗿𝗮𝗺 𝗘𝘅𝘁𝗿𝗮𝗰𝘁𝗶𝗼𝗻: For each site in a corpus of previously scored sites, extract n-grams (typically 2- to 5-grams) from page content. 2. 𝗥𝗲𝗹𝗮𝘁𝗶𝘃𝗲 𝗙𝗿𝗲𝗾𝘂𝗲𝗻𝗰𝘆 𝗖𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗶𝗼𝗻: For each extracted n-gram, compute its relative frequency as the ratio of pages containing that n-gram to total pages on the site. 3. 𝗕𝘂𝗰𝗸𝗲𝘁 𝗣𝗮𝗿𝘁𝗶𝘁𝗶𝗼𝗻𝗶𝗻𝗴: Group sites into 20–100 buckets based on their relative frequency measures for each n-gram, ensuring roughly equal bucket sizes or equal interval ranges. 4. 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝗦𝗰𝗼𝗿𝗲 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗶𝗼𝗻: For each bucket, calculate an average baseline quality score from the known scores of sites in that bucket. 5. 𝗣𝗵𝗿𝗮𝘀𝗲 𝗠𝗼𝗱𝗲𝗹 𝗖𝗼𝗻𝘀𝘁𝗿𝘂𝗰𝘁𝗶𝗼𝗻: Associate each n-gram with its vector of bucket-average quality scores. Optionally exclude “neutral” phrases whose scores are statistically indistinguishable from the global average. 𝐒𝐢𝐭𝐞 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐏𝐫𝐞𝐝𝐢𝐜𝐭𝐢𝐨𝐧 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 (𝐅𝐢𝐠. 𝟑) 1. 𝗥𝗲𝗹𝗮𝘁𝗶𝘃𝗲 𝗙𝗿𝗲𝗾𝘂𝗲𝗻𝗰𝘆 𝗳𝗼𝗿 𝗡𝗲𝘄 𝗦𝗶𝘁𝗲: Extract the same set of n-grams from the new (previously unscored) site and compute their relative frequencies. 2. 𝗕𝘂𝗰𝗸𝗲𝘁 𝗟𝗼𝗼𝗸𝘂𝗽: For each phrase, map its relative frequency to the corresponding bucket’s average score in the phrase model. 3. 𝗔𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗲 𝗦𝗰𝗼𝗿𝗲 𝗖𝗼𝗺𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻: Compute an aggregate score across all phrases’ bucket scores—typically via a weighted or unweighted mean. Weights can reflect phrase frequency, distance from a “neutral” score, or limit the influence of overly frequent phrases.

Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...treyka

Epochalypse 2038: Time is Not on Our Side Presented by Trey Darley, Founder – Threshold Continuity Alliance BSides Nairobi – 2025-06-07 The Year 2038 Problem is real — and it's already here. At exactly 03:14:07 UTC on January 19, 2038, 32-bit signed Unix time overflows. Systems that use 32-bit time_t will reset to 1901 and/or fail outright. But this isn’t just about old embedded gear. It’s about trust, cryptographic integrity, log coherence, financial timestamps, system coordination, and the fragile scaffolding of global infrastructure. This talk explores a dangerous and still largely invisible class of vulnerabilities: timestamp fragility and time synchronization failure. We cover: - Why over 60% of global software systems still depend on Unix epoch time - How 2038 bugs can manifest subtly — without a crash, and without warning - Why critical infrastructure (energy, telecom, aviation, finance) is especially at risk - How even modern firmware is being shipped today with latent Y2038 bugs - The implications for TLS certificates, forensic timelines, billing systems, and safety-critical protocols - How time can be maliciously spoofed, delayed, or misaligned — and why legacy NTP is often unauthenticated - A pragmatic call for 2038 rollover testbeds, code audits, and hardened time infrastructure - Recommendations for deploying secure time protocols (NTS, RFC 8915), GPS + Rubidium/Cesium fallback, and air-gapped sync You’ll leave with a grounded understanding of: - Why time isn’t just an input — it’s an untrusted vector - What engineers, regulators, and defenders must do now to avert a long-tail catastrophe - How underserved regions may suffer disproportionately — but also leap ahead by refusing to inherit broken time About the Speaker Trey Darley is the founder of the Threshold Continuity Alliance (TCA), an initiative focused on strategic risk, infrastructure integrity, and time-based vulnerability remediation. A long-time figure in the global cybersecurity community, Trey works at the intersection of symbolic systems, resilience engineering, and future ethics.

Networking_Essentials_version_3.0_-_Module_7.pptxelestirmen

Google_Cloud_Computing_Fundamentals.pptxektadangwal2005

Unlocking Business Growth Through Targeted Social EngagementDigital Guider

Facebook marketing allows businesses to connect with their ideal audience through precise targeting and engaging content. By leveraging advanced tools like custom audiences, Facebook Ads, and real-time analytics, brands can build strong relationships, increase visibility, and drive measurable results. It’s not just about reaching people—it’s about reaching the right people and turning engagement into growth. https://digitalguider.com/digital-advertising/facebook-advertising-services/

PPT 18.03.2023.pptx for i smart programmeAbhimanShastry

3D Graphics an introduction and details .pptxislamicknowledge5224

MOBILE PHONE DATA presentation with all necessary detailsbenamorraj

simple-presentationtestingdocument2007.pptxashokjayapal

rosoft PowcgnggerPoint Presentation.pptxsirbabu778

AI theory work for students to understand the logicareeba15775n

UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation17218

How to Make Money as a Cam Model – Tips, Tools & Real TalkCam Sites Expert

What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...CartCoders

Vigilanti-Cura-Protecting-the-Faith.pptxsecretarysocom

Internet_of_Things_Presentation_by-Humera.pptxcshumerabashir

ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackAPNIC

10 Latest Technologies and Their Benefits to End.pptxEphraimOOghodero

Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxsecretarysocom

Quantiuwewe e3er14e we3223 32222 m2.pptxcyberesearchprof

Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfBehzad Hussain

Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...treyka

Networking_Essentials_version_3.0_-_Module_7.pptxelestirmen

Google_Cloud_Computing_Fundamentals.pptxektadangwal2005

Unlocking Business Growth Through Targeted Social EngagementDigital Guider

PPT 18.03.2023.pptx for i smart programmeAbhimanShastry

3D Graphics an introduction and details .pptxislamicknowledge5224

Scaling-up and Automating Web Application Security Tech Talk

1. Ferruh Mavituna, CEO Scaling-Up & Automating Web Application Security Netsparker

2. Scaling-Up and Automating Web Application Security Discover

3. Scaling-Up and Automating Web Application Security • Public Websites • Mission Critical • Temporary (i.e. short-term marketing websites) • Managed by 3rd party • Internal Websites • Mission Critical • Developed in house • Developed by a 3rd party • Hardware Management Interfaces • Staging Websites • Actively Developed • 3rd party & will be deployed Discover & Prioritize

4. Scaling-Up and Automating Web Application Security • Process • Internal asset management • Introducing a process & policy • Automated Discovery • Effectively smart “port scanning” Discover & Prioritize

5. Scaling-Up and Automating Web Application Security Identify

6. Scaling-Up and Automating Web Application Security • Configuration Issues • TLS, Web Server, Unnecessary features… • Known Vulnerabilities and Out-of-date Dependencies • Known vulnerabilities in known applications and dependencies • Out-of-date JS libraries, modules, dependencies, frameworks… • Unknown Vulnerabilities (zero-days) • SQL Injection, CSRF, XSS, LFI, RFI and similar vulnerabilities that are not known yet • Lack of Security Best Practice and Proactive Measures • CSP, HSTS, Information Disclosure, Insecure Endpoints, Leaking data to 3rd party resources etc. Identify Vulnerabilities

7. Scaling-Up and Automating Web Application Security Automate

8. Scaling-Up and Automating Web Application Security • Automation excels at • Scaling • Being consistent • Enforcing checks • Finding majority of vulnerabilities • Eliminating human-errors on repeated checks • Limitations of automation • Logical issues • Extremely design specific & platform specific issues • Discovering all the flows & processes in websites Automation

9. Scaling-Up and Automating Web Application Security “Automate what can be automated”

10. Scaling-Up and Automating Web Application Security Automation Challenges

11. Scaling-Up and Automating Web Application Security • Authenticated Scans • URL Rewrite • Custom 404 Pages • Form Values Pre-scan Challenges

12. Scaling-Up and Automating Web Application Security • False Positive • Correlating Results • Hot-patching vulnerabilities in WAF level Post-scan Challenges

13. Scaling-Up and Automating Web Application Security • How many of the identified vulnerabilities are real? • What’s the real risk? • How long would it take to review all vulnerabilities to see which are False Positives? • What kind of technical expertise do you need to accomplish this? 10,000 Issues have been identified, Now what?

14. Scaling-Up and Automating Web Application Security “Automation without accuracy cannot scale”

15. Scaling-Up and Automating Web Application Security • How is it done manually? • Can it be automated? Elimination of False Positives

16. Scaling-Up and Automating Web Application Security “If it’s exploitable it cannot be a false positive”

17. Scaling-Up and Automating Web Application Security • Securing thousands of web applications is possible • Automate what can be automated • Use the right tools for the job • Understand what automation can and cannot do • Plan for the long term • Challenge the norm Conclusion

Editor's Notes

#9: Use automation for what
#12: Automation can deliver a lot but might need to be configured correctly to get the best out it.

Scaling-up and Automating Web Application Security Tech Talk

Recommended

More Related Content

What's hot (20)

Similar to Scaling-up and Automating Web Application Security Tech Talk (20)

Recently uploaded (20)

Scaling-up and Automating Web Application Security Tech Talk

Editor's Notes