Overview
Syllabus
Intro
Continuous Security
Practical Static Analysis
Why Static Analysis?
Tool Cycle
Enforce the Solution
Automate Enforcement
Continuous Integration
Code Review
Deployment Gate
Separate Process
Local Tests/Git Hook
1 - Identify a Problem
2 - Identify a Solution
Regular Expressions
Desired Flow
Bash
git diff --name-status
Multiple Rules
Create a Rule
Base Rule Class class Rule
Code to Run It
False Positives
False Negatives
Compilation vs. Static Analysis Input Program Text
S-Expressions
Ruby (RubyParser)
Python (Astroid) AstroidBuilder().string_build( get_survey(survey_id))
JavaScript (Esprima)
Bandit Custom Rule import bandit from bandit.core import test properties as test
Bandit Custom Warning
Brakeman Custom Check
Brakeman Custom Warning
Walking Esprima AST
Walking RubyParser AST
Summary
Thank you
Taught by
OWASP Foundation