Hackuracy: Boosting AST Accuracy Through Hacking

This talk explores how to improve the accuracy of Application Security Testing (AST) by combining automated vulnerability scanning with expert ethical hacking. Learn why automated tools alone detect only 45% of system risk exposure due to high rates of false positives and negatives. Discover the research findings that show how a combined approach of scanning and ethical hacking dramatically outperforms standalone tools, achieving accuracy scores of 78.9-93.7% in vulnerability detection and 94.3-98.5% in risk exposure identification, compared to the best tool's 26.4-58.4% and 8.5-27.0% respectively. Understand why expert hackers are essential for identifying complex security flaws that automated tools miss, particularly when vulnerabilities require understanding nuanced application logic. The presentation includes details on three different accuracy measures used in the research, characterization of the insecure-by-design web application used as the target of evaluation, and recommendations for enhancing vulnerability scanner accuracy to better protect applications against sophisticated threats.