Lenny Halseth, Senior Software Engineer for Secure Decisions, a division of Applied Visions, Inc., will be presenting a cyber security session titled “The White Hat’s Advantage: Penetration testing tools for web application security” at the 21st Annual New York State Cyber Security Conference in Albany, NY. The conference is hosted by the New York State Office of Information Technology Services, the University at Albany’s School of Business, and The New York State Forum, Inc. The event takes place June 5-6, 2018. Register for the conference here.
Lenny’s session summary:
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, where attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve their white box testing using a new open source tool, funded by the Department of Homeland Security. This tool leverages access to the application server bytecode to provide an advantage to the penetration tester working with the development team.
OWASP Code Pulse instruments the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.
Upcoming features and major releases will be discussed, a brief demonstration of the tool will be given, and a question and answer portion will complete the session.
Lenny Halseth is a Senior Software Engineer with more than a decade of professional experience developing applications that cover a large range of problem spaces and technologies. In his current work as a cyber security researcher and developer with a focus on Application Security, Lenny is involved in the design and development of Code Pulse, a real-time code coverage analysis tool for penetration testing activities. As a member of the DHS-funded ASTAM application security project development team, Lenny also led development of a new application security and compliance framework. Lenny has developed applications for software assurance, code quality and development practice evaluation, and serious gaming. As part of a DHS Phase I and Phase II SBIR, he helped to design and develop a comprehensive application vulnerability management tool that correlates, analyzes and prioritizes software security vulnerabilities which was transitioned and commercialized as Code Dx. He has also played pivotal roles in developing CodeFacts – a Navy Phase II SBIR that aids the assessment of software quality and development practices. He has also participated in developing the Tactical Target Analysis and Prediction System (TTAPS) family of projects – all completed military Phase II SBIRs and Phase II options with a focus on Command and Control (C2), simulation, training, and gaming technology integration for modern human-computer interaction paradigms. Lenny has also previously led a team to develop a suite of applications that facilitate large scale coordinated movement and schedule management. That suite covered desktop, mobile, and web-based usage and is currently deployed in many real-world operational environments. Lenny holds a Bachelor of Science in Computer Science from Gonzaga University, Spokane, WA.