Presented at
Global AppSec - DC 2019,
Sept. 12, 2019, 11:30 a.m.
(45 minutes).
The Web application development lifecycle has numerous security activities. For developers, code review is a familiar recurring activity. To support Java developers, a project was started in 2012 called, "Find Security Bugs" (FSB). It is an extension of the SpotBugs project, formerly known as, FindBugs. FSB is a community static analysis tool which targets specific vulnerabilities. Over the years FSB has evolved from a limited tool to a solid coverage of bug patterns. It is now used in many large corporations to support automation.
In this presentation, you will learn about its high-level internals and heuristics, its potential integration in developers' IDE and in continuous integration environments.
A selection of vulnerabilities found by the tool in popular applications including Spring and Struts will be explained. For each of these vulnerabilities, we will review the description of the affected component, the issue reported by the tool, the method to analyze the report and an overview of the potential risks. Along the way you will learn a few tips on increasing your efficiency with the tool.
After observing some real-world vulnerabilities, we will conclude with lessons learned from maintaining this open-source project for close to 8 years. Lessons learned will include some of the successes but also failures from the development initiatives.
Presenters:
-
Philippe Arteau
- GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. He presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest (QC), 44CON, Hack In Paris and JavaOne.
Links:
Similar Presentations: