Building a Web Application Vulnerability Management Program
- Jason Pubal - Master's Degree Candidate
- Thursday, December 17th, 7:15pm - 8:15pm
For years, attackers have assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners. As these products mature and IT security teams learn to better handle network security, the industry is seeing a visible increase in attacks moving up the stack to target application-level vulnerabilities.
Mature application security programs perform security testing against web applications during development but tend to be reactive to security defects once an application has been deployed. Web applications that are being used in a production environment are not typically subject to recurring security tests. There is fear of causing an impact to functionality and a notion that as long as the codebase has not changed it is impossible to find new security vulnerabilities in an application that was thoroughly tested prior to being deployed. Any vulnerability not found during this initial testing is only known about and addressed after an incident has occurred. Meanwhile, infrastructure vulnerability management performs recurring vulnerability scanning against production networks and servers as the web applications hosted on them are ignored.
As threats evolve and new attack vectors are discovered, applications need to be tested to see how they are affected. Application vulnerability management needs the same rigor infrastructure vulnerability management has; web application vulnerability assessments need to be continuous. The web application vulnerability management framework presented in this presentation is the next step in application security. This framework introduces a methodology, processes, and activities to achieve that goal.
Bio: Jason is a Director of information security leading web application security and penetration testing teams at a large financial services company. In his decade in information security, he has worked in various industries, done a little of everything security, and picked up a couple certifications along the way. With a development background, he has focused his efforts in the last few years on application security. A snowboarder, homebrewer, and hacker - Jason is happy to talk about application security, or your last good beer.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.
- Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Monday, December 14
Session |
Speaker |
Time | Type |
General Session - Welcome to SANS |
Bryce Galbraith- Renaissance Washington, DC Downtown Hotel |
Monday, December 14th, 8:15am - 8:45am |
Special Events |
General Session - Welcome to SANS |
Jason Fossen-Grand Hyatt Washington |
Monday, December 14th, 8:15am - 8:45am |
Special Events |
Busting The Rebel Scum - QRadar and Box |
Peter Szczepankiewicz. SANS Certified Instructor and IBM Product Manager and Sonny Hashmi, Managing Director, Box |
Monday, December 14th, 12:30pm - 1:15pm |
Lunch and Learn |
Mike Assante talks on ICS Security Case Studies |
Mike Assante |
Monday, December 14th, 6:30pm - 8:00pm |
Special Events |
What's New for Security in Windows 10 and Server 2016? |
Jason Fossen |
Monday, December 14th, 7:15pm - 9:15pm |
Keynote |
Tuesday, December 15
Session |
Speaker |
Time | Type |
Defining Your First Line of Defense |
Tom Byrnes, Founder and CEO |
Tuesday, December 15th, 12:30pm - 1:15pm |
Lunch and Learn |
Launch, Detect, Evolve: The Mutation of Malware |
Andres Ortiz, Malware Intelligence Analyst |
Tuesday, December 15th, 12:30pm - 1:15pm |
Lunch and Learn |
An Architecture for Continuous Monitoring and Mitigation |
Matt Hartley, Director - Federal Civilian Agencies & Systems Integrators and Ellen Sundra, CISSP - Director of Systems Engineering - DOD, Forescout Technologies |
Tuesday, December 15th, 12:30pm - 1:15pm |
Lunch and Learn |
Think Like an Attacker: What You Must Know About Targeted Attack Techniques |
Michael Mumcuoglu, Co-Founder, and Chief Technology Officer |
Tuesday, December 15th, 12:30pm - 1:15pm |
Lunch and Learn |
Women's CONNECT Event in partnership with ISSA International Women In Security Special Interest Group (WIS SIG) |
— |
Tuesday, December 15th, 5:00pm - 7:00pm |
Special Events |
Offensive Countermeasures, Active Defenses, and Internet Tough Guys |
John Strand |
Tuesday, December 15th, 7:15pm - 8:15pm |
SANS@Night |
The Crazy New World of Cyber Investigations: Law, Ethics and Evidence |
Benjamin Wright |
Tuesday, December 15th, 7:15pm - 8:15pm |
SANS@Night |
Automating Post-Exploitation with PowerShell |
James Tarala |
Tuesday, December 15th, 7:15pm - 8:15pm |
SANS@Night |
The Effectiveness of Microsoft's EMET |
Stephen Sims |
Tuesday, December 15th, 8:15pm - 9:15pm |
SANS@Night |
How to bring some Advanced Persistent Trickery to your fight against Advanced Persistent Threats... |
Bryce Galbraith |
Tuesday, December 15th, 8:15pm - 9:15pm |
SANS@Night |
Wednesday, December 16
Session |
Speaker |
Time | Type |
Solutions Expo |
— |
Wednesday, December 16th, 12:00pm - 1:30pm |
Vendor Event |
Solutions Expo |
— |
Wednesday, December 16th, 5:30pm - 7:30pm |
Vendor Event |
Malware Analysis for Incident Responders: Getting Started |
Lenny Zeltser |
Wednesday, December 16th, 7:15pm - 9:15pm |
SANS@Night |
The Tap House |
Phil Hagen |
Wednesday, December 16th, 7:15pm - 8:15pm |
SANS@Night |
ICS/SCADA Cyber Attacks - Fact vs. Fiction |
Robert M. Lee |
Wednesday, December 16th, 7:15pm - 8:15pm |
SANS@Night |
The Plinko Board of Modern Persistence Techniques |
Alissa Torres |
Wednesday, December 16th, 8:15pm - 9:15pm |
SANS@Night |
Debunking the Complex Password Myth |
Keith Palmgren |
Wednesday, December 16th, 8:15pm - 9:15pm |
SANS@Night |
GIAC Program Overview |
Courtney Imbert |
Wednesday, December 16th, 8:15pm - 9:15pm |
Special Events |
Thursday, December 17
Session |
Speaker |
Time | Type |
STI Lunch and Learn |
— |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
Prevent - Detect - Respond |
Derrick Masters, Security Analyst, Infogressive |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
See Threats Coming with DomainTools |
Mark Kendrick, Director of Solution Engineering |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
Crack the Code: Defeat the Advanced Adversary |
Robert Clark, Systems Engineer, Palo Alto Networks |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
Foundational Cyber Security Hygiene: Getting Back to Basics |
Hariom Singh, CISSP, Director of Policy Compliance |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
CISA: How do we get past walking and actually start running with Information Sharing? |
Trish Cagliostro, Principal Security Architect |
Thursday, December 17th, 12:30pm - 1:15pm |
Lunch and Learn |
NetWars Tournament of Champions |
Ed Skoudis, Tim Medin, and Jeff McJunkin |
Thursday, December 17th, 6:30pm - 9:30pm |
Special Events |
Evolving Threats |
Paul Henry |
Thursday, December 17th, 7:15pm - 8:15pm |
SANS@Night |
Card Fraud 101 |
G. Mark Hardy |
Thursday, December 17th, 7:15pm - 8:15pm |
SANS@Night |
Building a Web Application Vulnerability Management Program |
Jason Pubal - Master's Degree Candidate |
Thursday, December 17th, 7:15pm - 8:15pm |
Master's Degree Presentation |
The 14 Absolute Truths of Security |
Keith Palmgren |
Thursday, December 17th, 8:15pm - 9:15pm |
SANS@Night |
Information Security Risk Management - No Exceptions! |
Mark Williams |
Thursday, December 17th, 8:15pm - 9:15pm |
SANS@Night |