OWASP Dallas October Meeting

Topic: Anatomy of a Logic Flaw

Traditional vulnerabilities like SQL Injection, buffer overflows, etc, have well established techniques for discovery and prevention. On the other hand, logic flaws are incredibly diverse and often unique to the specific application or business organization. Because of this, logic flaws have taken on a near mythical status. In the myth, logic flaws are nearly impossible to find until the elite of the elite hackers launch an attack to completely own the application.

The reality is far different; logic flaws are not the complex nightmare that many have made them out to be. This presentation will use real-world examples to show how logic flaws are typically introduced into an application, how they can be consistently detected during testing, and how they can be prevented during development. Instead of hoping for magic, repeatable processes will be outlined for each of those items. This will prove beneficial to anyone responsible for application security: programmers, architects, managers, and pen testers.

Who: Charles Henderson is the Vice President of Managed Security Testing at Trustwave. He has been in the information security industry for over twenty years. Over that time, he and his teams have specialized in network penetration testing, application penetration testing, physical security testing, and incident response. His team's clients range from the largest on the Fortune lists to small and midsized companies interested in improving their security posture. Henderson routinely speaks at various conferences (including Black Hat, DEF CON, RSA, SOURCE, OWASP AppSec USA and Europe, FROC, and Merchant Risk Council) around the world on various subject matters relating to security testing and incident response.