Presented at
ShellCon 2019,
Oct. 12, 2019, 3 p.m.
(50 minutes)
Many companies use commercial static analysis tools (SAST) to find bugs, but these SAST tools tend to be expensive, have high false positive rates, and are difficult to customize. "Lightweight" static analysis tools hit a sweet spot that is more powerful than grep but still simple enough that you can write your own.
In this talk, we'll describe how to create your own lightweight static analysis scripts using open source libraries and tools. These techniques can be used by penetration testers to more effectively find bugs and/or integrated into CI/CD checks by security engineers to raise the security bar of the applications they support.
Presenters:
-
Daniel DeFreez
Daniel is a Ph.D. candidate at the University of California, Davis. His research focuses on developing scalable static analysis techniques to find error-handling defects in systems software. He has designed and implemented static analysis tools that have found hundreds of bugs in open-source software projects, including OpenSSL and the Linux kernel.
Daniel is also a co-founder of Practical Program Analysis, LLC. He will be joining Southern Oregon University as an Assistant Professor in January 2020.
-
Clint Gibler
Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He's helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.
Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU, and DevSecCon Seattle/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis.
Clint also writes
, a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web.
Links:
Similar Presentations: