Presentation Material
Abstract
It is clear that traditional web application security scanners are incapable of finding logical security bugs. The speaker will show users how they can build tools that detect such bugs by using machine learning as a key ingredient. The talk is for cloud-based application security enthusiasts.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses an expert system built on top of Python, utilizing machine learning libraries to automate web application testing and security scanning. The technology focuses on JavaScript endpoints, user interaction, and API triggers, making it suitable for modern web applications that heavily rely on JavaScript.
The speaker addresses two questions from the audience:
- Is this technology for defenders or hackers? The answer is that it’s built for both, but primarily used for security testing and finding vulnerabilities in applications.
- How can one contrast this application, and what’s the probability of success in fighting vulnerabilities? The response explains that traditional payloads are used, but the difference lies in how the system interacts with the application. It’s designed to learn and improve over time, making it more intelligent with each scan.
Additional questions from the audience are addressed:
- What is the precision recall rate for label recognition? The answer is 92%, achieved through 8-9 months of training data sets. However, the system may struggle with new, unusual labels and requires manual assistance in such cases.
- Does the system follow one top scenario or multiple probable scenarios for a page? The response confirms that it follows multiple probable scenarios, using an algorithm to determine the highest probability path.
The speaker also explains how labels are created, initially by hand, but later automatically generated using the cosine similarity algorithm to find similar patterns in the data.