FPs Are Cheap - Show Me the CVEs

Explore a critical evaluation of Static Application Security Testing (SAST) tools in this 24-minute Black Hat conference talk. Delve into the challenges of assessing and benchmarking SAST tools, focusing on their ability to deliver relevant results and identify promised vulnerabilities. Learn about synthetic test suites and vulnerabilities as evaluation methods. Examine practical applications and real-world examples to gain insights into the effectiveness of SAST tools in detecting Common Vulnerabilities and Exposures (CVEs). Presented by Kevin Backhouse and Bas van Schaik, this talk provides valuable information for security professionals and developers looking to make informed decisions about SAST tool selection and implementation.

Intro
Synthetic test suites
Synthetic vulnerabilities
In practice
Outro