Practical Static Analysis for Continuous Application Security

SecTor 2016

Presented by: Justin Collins
Date: Tuesday October 18, 2016
Time: 14:40 - 15:40
Location: 801B
Track: Tech

Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result, very few tools exist and commercial tools are very expensive – if they even support your programming language. The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! This talk will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing static analysis tools from scratch. Since static analysis tools can be run at any point in the software development lifecycle, even simple tools enable powerful security assurance when added to continuous integration.

Links

Justin Collins

Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive. He is the primary author of Brakeman, an open source static analysis security tool for Ruby on Rails.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats