YoVDO

Practical Static Analysis for Continuous Application Security

Offered By: OWASP Foundation via YouTube

Tags

Conference Talks Courses Python Courses Javascript Courses Ruby Courses Regular Expressions Courses Continuous Integration Courses Application Security Courses Static Analysis Courses

Course Description

Overview

Explore practical static analysis techniques for continuous application security in this conference talk from AppSecUSA 2016. Learn how to build targeted static analysis tools tailored to your specific environment and needs. Discover straightforward options for implementing static analysis, ranging from simple grep commands to writing custom rules for existing tools and even developing static analysis tools from scratch. Gain insights into integrating these tools into your continuous integration pipeline to enable powerful security assurance throughout the software development lifecycle. Understand the benefits of static code analysis for identifying potential security vulnerabilities without executing the code. Follow along as the speaker demonstrates various approaches, including regular expressions, abstract syntax tree (AST) parsing, and custom rule creation for popular tools like Bandit and Brakeman. By the end of this talk, you'll be equipped with practical knowledge to implement effective static analysis techniques and enhance your application's security posture.

Syllabus

Intro
Continuous Security
Practical Static Analysis
Why Static Analysis?
Tool Cycle
Enforce the Solution
Automate Enforcement
Continuous Integration
Code Review
Deployment Gate
Separate Process
Local Tests/Git Hook
1 - Identify a Problem
2 - Identify a Solution
Regular Expressions
Desired Flow
Bash
git diff --name-status
Multiple Rules
Create a Rule
Base Rule Class class Rule
Code to Run It
False Positives
False Negatives
Compilation vs. Static Analysis Input Program Text
S-Expressions
Ruby (RubyParser)
Python (Astroid) AstroidBuilder().string_build( get_survey(survey_id))
JavaScript (Esprima)
Bandit Custom Rule import bandit from bandit.core import test properties as test
Bandit Custom Warning
Brakeman Custom Check
Brakeman Custom Warning
Walking Esprima AST
Walking RubyParser AST
Summary
Thank you


Taught by

OWASP Foundation

Related Courses

Web Application Architectures
University of New Mexico via Coursera Ruby مدخل إلى برمجة مواقع الإنترنت باستخدام لغة
Rwaq (رواق) Rails with Active Record and Action Pack
Johns Hopkins University via Coursera Ruby on Rails: An Introduction
Johns Hopkins University via Coursera Ruby on Rails Web Services and Integration with MongoDB
Johns Hopkins University via Coursera