All times are in Pacific Daylight Time (UTC-0700).
Many companies use commercial static analysis tools (SAST) to find bugs, but these SAST tools tend to be expensive, have high false positive rates, and are difficult to customize. “Lightweight” static analysis tools hit a sweet spot that is more powerful than grep but still simple enough that you can write your own.
In this talk, we’ll describe how to create your own lightweight static analysis scripts using open source libraries and tools. These techniques can be used by penetration testers to more effectively find bugs and/or integrated into CI/CD checks by security engineers to raise the security bar of the applications they support.
Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.
Clint has previously spoken at conferences...
Read More
@clintgibler
Daniel is a Ph.D. candidate at the University of California, Davis. His research focuses on developing scalable static analysis techniques to find error-handling defects in systems software. He has designed and implemented static analysis tools that have found hundreds of bugs in open-source software projects, including OpenSSL and the Linux kernel.
... Read More
@defreez
© 2023 ShellCon