Code Scanning That Works With Your Code – Scott Norberg – ASW #317
Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.
Segment Resources:
Guest
Scott Norberg is a web security specialist with almost 20 years of experience in various technology and programming roles, specializing in web development and web security using Microsoft technologies. He has a wide range of experience in security, from working with development teams on secure code techniques, software security assessments, and application security program building . He also has an interest in building plug-and-play software libraries that developers can use to secure their sites with little-to-no extra effort. His latest project was building a source code scanner to find vulnerabilities more easily than products currently on the market.
Scott holds several certifications, including Microsoft Certified Technology Specialist (MCTS) for ASP.NET and SQL Server from Microsoft and the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications from ISC2. He also has an MBA from Indiana University.
Scott is currently working as a Principal Application Security Engineer at CDW.
Host
