Web Developers, Beware of the Tarpits for SAST in Your Code

Explore the challenges and solutions for Static Application Security Testing (SAST) in web development through this 47-minute conference talk. Delve into the concept of SAST testability, examining real-world examples like CVE-2011-3357 in the Mantis bug tracker. Learn about testability patterns and their creation process, including manual and automated transformations. Gain insights into research methodologies, pattern discovery advantages, and semantic-preserving techniques. Understand the importance of developer-assisted transformations and their impact on SAST results. Conclude with an overview of future steps in improving SAST effectiveness for web developers.

Intro
Context: SAST and testability
CVE-2011-3357: File inclusion in mantis bug tracker
Toward testability patterns
Research methodology: overview
Phase 1: Pattern creation and SAST measurement
Dataset
Prevalence
Pattern discovery: advantages
MANUAL PATTERN TRANSFORMATION
Semantic-preserving Transformations
Over-approximations
Developer-Assisted Transformations
Results upon transformations
AUTOMATED PATTERN TRANSFORMATION
Conclusion and next steps
Contact and credits