Static Application Security Testing (SAST)

Embed security into the software development life cycle. Discover how to use offline security testing to validate your code and uncover vulnerabilities.

Introduction

• The importance of offline testing
• What you should know

1. Leading Practices

• Security in the SDLC
• Development methodologies
• Programming languages
• Security frameworks
• Intro to the OWASP Top Ten
• Other notable OWASP projects
• Top 25 Software Errors
• BSIMM
• Building your test lab
• Preparing your checklist

2. Security Documentation

• Internal project plans
• Communication planning
• Change control policy
• Security incident response policy
• Logging and monitoring policy
• Third-party agreements
• OWASP ASVS

3. Source Code Security Reviews

• Challenges of assessing source code
• OWASP Code Review Project
• Bytecode scanners
• Binary code scanners
• Code review models
• Application threat modeling
• Code review metrics
• Demo: Codacy
• Demo: SonarQube

4. Offline Testing for the OWASP Top Ten (2017)

• The OWASP Top Ten
• A1: Injection
• A2: Broken authentication
• A3: Sensitive data exposure
• A4: XML external entities (XXE)
• A5: Broken access control
• A6: Security misconfiguration
• A7: Cross-site scripting (XSS)
• A8: Insecure deserialization
• A9: Using components with known vulnerabilities
• A10: Insufficient logging and monitoring

Conclusion

• Next steps