Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dynamic App Patching
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Jon Rose
January 01, 2010
Technology
2
92
Dynamic App Patching
Jon Rose
January 01, 2010
Tweet
Share
More Decks by Jon Rose
See All by Jon Rose
Agile Security
jonrose
1
180
Decoding Bug Bounty Programs
jonrose
1
530
Builders Vs. Breakers AppSec 2012
jonrose
2
220
Rich Internet Application Security
jonrose
2
97
Cloudy with a chance of 0-day
jonrose
1
76
Deblaze - A remote method enumeration tool for flex servers
jonrose
3
210
Deblaze - A Remote Method Enumeration Tool for Flex Servers, Defcon
jonrose
2
150
CodeSearch0day
jonrose
1
66
Other Decks in Technology
See All in Technology
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
160
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
capytan
6
2.6k
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
sansantech
PRO
3
1.3k
2026年はチャンキングを極める!
shibuiwilliam
9
1.9k
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
shibayu36
0
160
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
wxyzzz
2
660
システムのアラート調査をサポートするAI Agentの紹介/Introduction to an AI Agent for System Alert Investigation
taddy_919
2
1.8k
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
n11sh1
0
120
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
450
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
zozotech
PRO
5
4.8k
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1k
Introduction to Bill One Development Engineer
sansan33
PRO
0
360
Featured
See All Featured
YesSQL, Process and Tooling at Scale
rocio
174
15k
Amusing Abliteration
ianozsvald
0
96
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
79
Faster Mobile Websites
deanohume
310
31k
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
1
1.3k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
117
110k
It's Worth the Effort
3n
188
29k
sira's awesome portfolio website redesign presentation
elsirapls
0
140
SEO for Brand Visibility & Recognition
aleyda
0
4.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Raft: Consensus for Rubyists
vanstee
141
7.3k
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Transcript
Resolving*Applica/on* Vulnerabili/es* Blending(App(Scanners,(WAF’s,( and(Code(Instrumenta:on(
Agenda( • The(Problem( • Iden:fying(Risk( – Web(App(Scanning( – Code(Review( •
Mi:ga:ng(Risks( – Code(Patches( – Web(Applica:on(Firewall( • A(Blended(Solu:on(
The(Problem( • Web(apps(have(security(vulnerabili:es( ( • Feature(deadlines( • Inexperienced( developers( •
Poor(system( administra:on( • Insecure(defaults( • Vulnerable(libraries(
The(Threat(Is(Increasing( AHackers(techniques(&(toolkits(have(advanced(
CrossKEyed(( Scrip:ng( ( Click(Jacking( ( GIFAR( ( Deblaze( ( (
Recent(AHacks(
Common(Approaches( Iden:fica:on( – Web(Applica:on(Scanning( – Code(Review( ( Remedia:on( – Web(Applica:on(Firewall( – Code(Patches( (
Iden:fica:on(
Web(App(Scanning(K(Strengths( • Easily(finds(common( vulnerabili:es( • Language(/(PlaTorm( independent( • Fast(and(Repeatable( •
CostKeffec:ve(( • Consistent(Repor:ng(
Web(App(Scanning(K(Weaknesses( • AHack(Surface(Coverage( • Detec:ng(complex(&( unique(flaws( ( • Pinpoint(vulnerable(code( loca:on(
• Providing(specific( recommenda:ons(
Code(Review(K(Strengths( • Iden:fy(logic(flaws( • Uncover(hard(to( discover(bugs( • Code(coverage( • Pinpoints(vulnerable(
code(loca:on(
Code(Review(K(Weaknesses( • Resource(Intensive( • Expensive( • Slow( • Requires(source(code( •
Requires(tuning(and( configura:on(
Mi:ga:on(Techniques(
Web(App(Firewall(K(Strengths( • Cost(Effec:ve( • Reduces(vulnerability( exposure(( • Provides(breathing( room(for(fixes( •
Dynamic(Patching(
Web(App(Firewall(K(Weaknesses( • Advanced(configura:on( requires(manual(tuning( • May(lead(to(false(sense( of(security( • Another(device/ Applica:on(to(manage(
Code(Patches(K(Strengths( • Solves(the(root(cause(of( the(issue( • Raises(developers( security(awareness( • Increases(applica:on( reliability(
Code(Patches(K(Weaknesses( • Resource(intensive( • Costly( • Slow( • Third(Party(Developers( •
Legacy(Apps(
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall(
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on(
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on( AOP(Checks(and( controls(
on(entry(and(end(points((
AOP(Advice( • Input/output(valida:on( • Logging( • Access(control( • Error(handling( •
Transac:on(management( • Session(management( Method( AOP(Advice( Method(
AOP(as(a(WAF( • Intercept(HTTP(requests(and(responses( – Input(valida:on( – Session(Management( – Output(encoding( – Filter(informa:on(leakage(
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall( Provides(input(variables( Coverage(&(data(flow(( Provides(dynamic(patch(info( Retest(verifies(fixes( Intercepts((
Requests(&(Responses(
Applica:on(Instrumenta:on( • Provide(aHack(surface(details(to(Applica:on( Scanner( • Iden:fy(Scanner(code(coverage( • Generate(dynamic(patches(based(on(scanner( results(
Similar(Solu:ons(
Next(Steps( • Further(research(on( applying(AOP( Instrumenta:on( • AOP(based(WAF( • Integrate(Scanner( technology(
Conclusion( • Blended(App(Scanner,(WAF,(and( Instrumenta:on(provides:( – Cost(effec:ve( – Efficient( – Comprehensive( – Scalable( – Repeatable( – Consistent(results(
Ques:ons((
None
Introspec:on(
Addi:onal(Checks( • Regularly(checks(config( file(for(insecure(seangs( • Monitor(files(in(the( webroot( • Determines(all( applica:on(input(by(
evalua:ng(applica:on( code( • Trace(SQL( • Intercepts(all(requests/ responses( • Basic(WAF(capability(