Practical Static Analysis for Continuous Application Security

Explore practical static analysis techniques for continuous application security in this conference talk from AppSecUSA 2016. Learn how to build targeted static analysis tools tailored to your specific environment and needs. Discover straightforward options for implementing static analysis, ranging from simple grep commands to writing custom rules for existing tools and even developing static analysis tools from scratch. Gain insights into integrating these tools into your continuous integration pipeline to enable powerful security assurance throughout the software development lifecycle. Understand the benefits of static code analysis for identifying potential security vulnerabilities without executing the code. Follow along as the speaker demonstrates various approaches, including regular expressions, abstract syntax tree (AST) parsing, and custom rule creation for popular tools like Bandit and Brakeman. By the end of this talk, you'll be equipped with practical knowledge to implement effective static analysis techniques and enhance your application's security posture.

Intro
Continuous Security
Practical Static Analysis
Why Static Analysis?
Tool Cycle
Enforce the Solution
Automate Enforcement
Continuous Integration
Code Review
Deployment Gate
Separate Process
Local Tests/Git Hook
1 - Identify a Problem
2 - Identify a Solution
Regular Expressions
Desired Flow
Bash
git diff --name-status
Multiple Rules
Create a Rule
Base Rule Class class Rule
Code to Run It
False Positives
False Negatives
Compilation vs. Static Analysis Input Program Text
S-Expressions
Ruby (RubyParser)
Python (Astroid) AstroidBuilder().string_build( get_survey(survey_id))
JavaScript (Esprima)
Bandit Custom Rule import bandit from bandit.core import test properties as test
Bandit Custom Warning
Brakeman Custom Check
Brakeman Custom Warning
Walking Esprima AST
Walking RubyParser AST
Summary
Thank you