Explore the world of Static Analysis Security Testing (SAST) in this 43-minute LASCON conference talk. Gain insights into the strengths and weaknesses of SAST tools, learn how they trace code for vulnerabilities, and discover ways to customize and integrate them into existing build and deployment pipelines. Understand out-of-the-box rules for commercial and open-source SAST tools, and learn to write custom rules for the popular open-source tool, PMD. Delve into topics such as Java workflow, framework analysis, pattern matching, and data flow analysis. Address common challenges organizations face when deploying new security tools and find helpful solutions to overcome them. By the end of this talk, acquire the knowledge to effectively leverage SAST tools as a valuable component of your security program.
Overview
Syllabus
Introduction
Why do we need tools
Static Analysis
Assumptions
Workflow
Java Workflow
Framework Analysis
Pattern Matching
Data Flow Analysis
Benefits of Analysis
Why does Static Analysis take so long
Postprocessing
PMD
PMD Rule
PMD Designer
Writing the Rule
Taught by
LASCON
