Rafal Los, Application Security Evangelist at HP Software, talks about application security vulnerabilities at the logic level.
The inner-workings of an application can only be seen through a combination of human input, static analysis, dynamic analysis and a new type of technology loosely termed run-time analysis – the type of ‘deep inspection’ that’s required to truly see “inside” an application and determine how flaws relate, how they’re exploited and where in the source code they can ultimately be fixed.
Building systems that really understand applications ultimately requires us to utilize our human brains and culminate information from technology, project requirements, developer interaction and simply ‘using’ the application by following use-cases.
Only through the collaborative approach of all these human and automated technologies can we start to build systems that are pseudo-intelligent and can perform the combinatory magic which allows iterating through millions or billions of combinations actions to determine negative variations.
This is no small feat – this problem has been worked on for well over a decade and only now through the bringing together of both static and dynamic analysis can we truly start to dig deep into a problem that has silently plagued application security for a very long time.