Many companies use commercial static analysis tools (SAST) to find bugs, but
these SAST tools tend to be expensive, have high false positive rates, and are
difficult to customize. “Lightweight” static analysis tools hit a sweet spot
that is more powerful than grep but still simple enough that you can write your
In this talk, we’ll describe how to create your own lightweight static analysis
scripts using open source libraries and tools. These techniques can be used by
penetration testers to more effectively find bugs and/or integrated into CI/CD
checks by security engineers to raise the security bar of the applications they
Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices...
Daniel is a Ph.D. candidate at the University of California, Davis. His research focuses on developing scalable static analysis techniques to find error-handling defects in systems software. He has designed...