Security testing and validation research at SAP

Session: Security testing and validation, Wed., Sep. 16, 14:15 - 14:45

Security testing and validation is a key research area at SAP, aiming to enhance SAP products and processes with cost-effective techniques for automated detection and prevention of security vulnerabilities.  In this talk we will first introduce an overview of the main topics in this area (e.g., dynamic analysis fighting injections via E2E taint tracking, open-source vulnerability assessment, automated security checks for best practices) and we will then dig into a few of them to provide more concreteness. In particular, we will target the multi-party web applications domain and present a few techniques---ranging from design-time security protocol analysis to black-box dynamic testing---that we devised to support developers and security experts at SAP over the software development lifecycle of these applications.  We will demo these techniques and discuss their pro & cons with special focus on the cost and potential exploitation at SAP.

About Luca Compagna

Dr. Luca Compagna joined SAP in 2006. He is Research Expert at SAP Product Security Research, where he is contributing to the SAP research strategy and responsible for various internally- and externally-funded research projects. He received his MSc in Informatics Engineering from the University of Genova and his Ph.D. in Computer Science jointly from the University of Genova and Edinburgh. His area of interests include cyber-security, security engineering, automated reasoning, security testing, and their application to industrial relevant scenarios.  He contributed to various projects on information security and he has published various scientific publications in his area of interest.