Explore the challenges and solutions for Static Application Security Testing (SAST) in web development through this 47-minute conference talk. Delve into the concept of SAST testability, examining real-world examples like CVE-2011-3357 in the Mantis bug tracker. Learn about testability patterns and their creation process, including manual and automated transformations. Gain insights into research methodologies, pattern discovery advantages, and semantic-preserving techniques. Understand the importance of developer-assisted transformations and their impact on SAST results. Conclude with an overview of future steps in improving SAST effectiveness for web developers.
Web Developers, Beware of the Tarpits for SAST in Your Code
Overview
Syllabus
Intro
Context: SAST and testability
CVE-2011-3357: File inclusion in mantis bug tracker
Toward testability patterns
Research methodology: overview
Phase 1: Pattern creation and SAST measurement
Dataset
Prevalence
Pattern discovery: advantages
MANUAL PATTERN TRANSFORMATION
Semantic-preserving Transformations
Over-approximations
Developer-Assisted Transformations
Results upon transformations
AUTOMATED PATTERN TRANSFORMATION
Conclusion and next steps
Contact and credits
Taught by
OWASP Foundation
