1. - Jim Liu Chief Geek, Lucent Sky

2. Agenda AVM (Application Vulnerability Mitigation) 3. 4. 70% 480 5. 6. Employee ID: 7. String userName = ctx.getAuthenticatedUserName(); String itemName = request.getParameter("itemName"); String query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + itemName + "'"; List items = sess.createSQLQuery(query).list(); 8. Cross-Site Scripting JavaScript 9. SQL Injection SQL 80% SQL 10. Agenda AVM (Application Vulnerability Mitigation) 11. 12. 13. 14. (SAST) 15. Agenda AVM (Application Vulnerability Mitigation) 16. Employee ID: 17. Employee ID: 18. String userName = ctx.getAuthenticatedUserName(); String itemName = request.getParameter("itemName"); String query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + itemName + "'"; List items = sess.createSQLQuery(query).list(); 19. String userName = ctx.getAuthenticatedUserName(); String itemName = request.getParameter("itemName"); String query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ESAPI.encoder().encodeForSQL(itemName) + "'"; List items = sess.createSQLQuery(query).list(); 20. Agenda AVM (Application Vulnerability Mitigation) 21. AVM: 22. Eclipse/NetBeans 23. AVMDemo 24. Case Study Edward Chen Security Consultant, M-Power 25. CI (Continuous Integration) 26. 27. - create project mono console/SkyAnalyzer.Interface.Console.exe credential user_name --interface project --method create --projectname projectname -- projectframework Java --projectid project_id 28. - create scan mono console/SkyAnalyzer.Interface.Console.exe - -credential user_name --interface scan --method create --projectid project_id --scanid scan_id 29. - analysis source mono console/SkyAnalyzer.Interface.Console.exe - -credential user_name --interface scan --method analyze --scanid scan_id -- scanmitigatedproject source_code_archive_file" 30. - Checking the status of a scan mono console/SkyAnalyzer.Interface.Console.exe credential user_name --interface scan --method status --scanid scan_id 31. - Downloading mitigated source code mono SkyAnalyzer.Interface.Console.exe credential user_name --interface scan --method mitigate --scanid scan_id--scanmitigatedproject "secure_code_archive_file" 32. 33. Jim Liu Chief Geek, LUCENT SKY Edward Chen Security Consultant, M-Power