SlideShare a Scribd company logo

Graph Visualization - OWASP NYC Chapter

Checkmarx
Checkmarx

The document discusses challenges in source code analysis, particularly with large codebases that produce thousands of results, which can be overwhelming. It emphasizes the importance of simplifying findings and offering actionable insights for developers, focusing on improving the 'what-if' analysis to determine optimal fix locations. The proposed solutions involve graph simplification techniques to correlate and manage findings more effectively.

Technology
1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
OWASP NYC Maty Title in white and bold Siman
About Maty Siman, CISSP CTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
Graph Visualization Title in white and bold
Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
Issue • Findings thousands accurate results, does not make us happy … • Webgoat, for example, has hundreds of XSS • We’ll narrow this down to 10 fixing places Title in white and bold
Current situation • Each result has a data flow, presented independently from other findings. Title in white and bold
Single Data Flow Path - XSS Request.QueryString*“param1”+; String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
Current situation • One is easy. • And 14? Title in white and bold
Many Single-Path – XSS – a lot of work Title in white and bold
But … • What do they have in common? Title in white and bold
Combined paths Title in white and bold
Can we … • Point, click and check without even READING the source code? • “What if I fix here? Or here?” Title in white and bold
Here it is more effective Title in white and bold
What-If I fix here? Title in white and bold
And here? Title in white and bold
Automatic “What-if” => Best Fix Location Max-Flow-Min-Cut (http://en.wikipedia.org/wiki/Max-flow_min-cut_theorem_ Title in white and bold
Simplifying the graph – step 1 - grouping Title in white and bold
Simplifying the graph – step 2 – homeograph’ing (http://enc.tfode.com/Homeomorphism_(graph_theory)) Title in white and bold
Simplifying the graph - output Title in white and bold
Simplifying the graph - output Title in white and bold
Compare the three Title in white and bold Space Invader
Benefits • Gives you the correlation between findings of the same type (SQLi) and different types. • You are not dealing with individual findings – but with a complete system •Title inyour time bold Use white and better
Thank you Title in white and bold maty@checkmarx.com

More Related Content

Viewers also liked (9)

PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
PDF
Happy New Year!
Checkmarx
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PDF
A Successful SAST Tool Implementation
Checkmarx
 
PDF
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
PDF
Application Security Management with ThreadFix
Virtual Forge
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Happy New Year!
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
A Successful SAST Tool Implementation
Checkmarx
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
Application Security Management with ThreadFix
Virtual Forge
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 

Similar to Graph Visualization - OWASP NYC Chapter (20)

PDF
FormLis Product Demonstration
FormLis
 
PPTX
Clean Code Part III - Craftsmanship at SoCal Code Camp
Theo Jungeblut
 
PPTX
Dont run with scissors
Morgan Roman
 
PDF
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
PPT
Introduction html
Mayank Saxena
 
PPTX
Prairie Dev Con West - 2012-03-14 - Webmatrix, see what the matrix can do fo...
Frédéric Harper
 
PDF
Seaside - Web Development As You Like It
Lukas Renggli
 
PDF
CLEAN WEB
Seda Yalçın
 
PDF
2006 Seaside
bergel
 
PDF
Hardcore JavaScript – Write it Right
Mike Wilcox
 
KEY
Simple is hard
Jim Siegienski
 
PPTX
Html and css
Sukrit Gupta
 
PPTX
HTML and CSS.pptx
TripleRainbow
 
PPTX
Intro to .NET for Government Developers
Frank La Vigne
 
PDF
The art of readable code (ch1~ch4)
Ki Sung Bae
 
PDF
The art of readable code (ch1~ch4)
Ki Sung Bae
 
PPTX
Clean Code III - Software Craftsmanship
Theo Jungeblut
 
PPTX
Web page concept final ppt
Sukanya Sen Sharma
 
PPTX
Web page concept Basic
Sukanya Sen Sharma
 
PDF
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
FormLis Product Demonstration
FormLis
 
Clean Code Part III - Craftsmanship at SoCal Code Camp
Theo Jungeblut
 
Dont run with scissors
Morgan Roman
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Introduction html
Mayank Saxena
 
Prairie Dev Con West - 2012-03-14 - Webmatrix, see what the matrix can do fo...
Frédéric Harper
 
Seaside - Web Development As You Like It
Lukas Renggli
 
CLEAN WEB
Seda Yalçın
 
2006 Seaside
bergel
 
Hardcore JavaScript – Write it Right
Mike Wilcox
 
Simple is hard
Jim Siegienski
 
Html and css
Sukrit Gupta
 
HTML and CSS.pptx
TripleRainbow
 
Intro to .NET for Government Developers
Frank La Vigne
 
The art of readable code (ch1~ch4)
Ki Sung Bae
 
The art of readable code (ch1~ch4)
Ki Sung Bae
 
Clean Code III - Software Craftsmanship
Theo Jungeblut
 
Web page concept final ppt
Sukanya Sen Sharma
 
Web page concept Basic
Sukanya Sen Sharma
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Ad

More from Checkmarx (10)

PDF
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
PDF
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
PDF
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
PDF
A Platform for Application Risk Intelligence
Checkmarx
 
PDF
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
PDF
Source Code vs. Binary Code Analysis
Checkmarx
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PDF
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
PDF
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
PDF
10 Steps To Secure Agile Development
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Checkmarx
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
10 Steps To Secure Agile Development
Checkmarx
 
Ad

Recently uploaded (20)

PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PPTX
Practical Applications of AI in Local Government
OnBoard
 
PDF
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
PDF
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
PDF
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PDF
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
PPTX
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PPTX
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
PPTX
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PDF
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PDF
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
Practical Applications of AI in Local Government
OnBoard
 
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 

Graph Visualization - OWASP NYC Chapter

  • 1. OWASP NYC Maty Title in white and bold Siman
  • 2. About Maty Siman, CISSP CTO, Founder – Checkmarx: Leading SAST (“Source Code Analysis”) Vendor Hundreds of customers WW Secures SalesForce AppExchange market Title in white and bold “Visionary” by Gartner
  • 4. Issues at hand – size, complexity, volume The biggest challenge of current source code analysis solutions is size- How to deliver: 1. Usable results 2. Automatically Title in white and bold 3. Out-of-the-box 4. Actionable for extra large code bases with thousands+ of results
  • 5. Issue • Findings thousands accurate results, does not make us happy … • Webgoat, for example, has hundreds of XSS • We’ll narrow this down to 10 fixing places Title in white and bold
  • 6. Current situation • Each result has a data flow, presented independently from other findings. Title in white and bold
  • 7. Single Data Flow Path - XSS Request.QueryString*“param1”+; String s = Request.QueryString*“param1”+; … s Response.Write(s); Response.Write(s); Title in white and bold
  • 8. Current situation • One is easy. • And 14? Title in white and bold
  • 9. Many Single-Path – XSS – a lot of work Title in white and bold
  • 10. But … • What do they have in common? Title in white and bold
  • 11. Combined paths Title in white and bold
  • 12. Can we … • Point, click and check without even READING the source code? • “What if I fix here? Or here?” Title in white and bold
  • 13. Here it is more effective Title in white and bold
  • 14. What-If I fix here? Title in white and bold
  • 15. And here? Title in white and bold
  • 16. Automatic “What-if” => Best Fix Location Max-Flow-Min-Cut (http://en.wikipedia.org/wiki/Max-flow_min-cut_theorem_ Title in white and bold
  • 17. Simplifying the graph – step 1 - grouping Title in white and bold
  • 18. Simplifying the graph – step 2 – homeograph’ing (http://enc.tfode.com/Homeomorphism_(graph_theory)) Title in white and bold
  • 19. Simplifying the graph - output Title in white and bold
  • 20. Simplifying the graph - output Title in white and bold
  • 21. Compare the three Title in white and bold Space Invader
  • 22. Benefits • Gives you the correlation between findings of the same type (SQLi) and different types. • You are not dealing with individual findings – but with a complete system •Title inyour time bold Use white and better

Editor's Notes

  • #8: That’s a data flow and how each step is reflected at the source code.
  • #10: And then we might have dozens of paths. How can we gain some more information?
  • #12: Let’s combine them together
  • #14: So this place is probably better. More paths get fixed
  • #15: If I fixed that point, what parts will be OK?
  • #16: And what about this one in here?
  • #17: So by fixing only three places in the code, we were able to fix…
  • #18: So by fixing only three places in the code, we were able to fix…
  • #19: So by fixing only three places in the code, we were able to fix…
  • #20: So by fixing only three places in the code, we were able to fix…
  • #21: So by fixing only three places in the code, we were able to fix…
  • #22: … this.