AppSec California 2016

Some vulnerabilities are just unfixable. You can’t block them because there’s no clear pattern to the attack. You can’t fix the code because they’re buried in libraries and frameworks.  And you can’t live with them because they’re incredibly dangerous.  Java’s deserialization vulnerabilities are a perfect example where organizations are left with no good choices and a huge window of exposure.  In this talk, Jeff will explore the use of “runtime application self protection” (RASP) to fix this type of problem. Jeff will talk about various approaches to RASP, including dynamic software instrumentation.  He’ll also introduce a free and open source RASP agent designed to completely neuter deserialization attacks across the entire Java stack.  He’ll show you how RASP agents can enable quick and effective defenses across an entire application portfolio, and should be part of your application security strategy today.