Loading...

Do WAFs dream of static analyzers?

14 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jul 6, 2017

Traditional WAFs regard the applications they protect as a black box: incoming HTTP requests and outgoing HTTP requests are the only means available for attack detection. Obviously, this information is not enough for formal proof, and WAF settles for heuristic approach. Even if we intercept all requests by an application to its environment (filesystem, sockets, BD), it only improves the quality of heuritsics, though it is in no way useful for switching to formal methods. But what if we build a WAF that would treat an application as a white box? What if it could handle the application model obtained as a result of the static code analysis? What if it would be possible to decide if an HTTP request is an attack as we run application code fragments?

Loading...

When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...