2015 - Static Analysis Security Testing for Dummies… and You
Вставка
- Опубліковано 31 лип 2024
- Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are - but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Good introduction. Another reason why SASTs are hard is that the problem (like most of them in IT security) involves undecidability in the sense of computability theory. So they all "cheat" in various ways, and learning how this happens is an exercise in itself!
Very nice way of explaining
03:30 SATS, white box testing 06:26 agenda, java 07:23 advanced grep
finally at @8:35 we have a zoom on the slides :)
I'd love to get the power point for these
This Dude needs to take Duarte Class on presenting
Very nice content, explains SAST very well, Is there a way I can have the powerpoint being presented?
same here powerpoint
@17:30 cameraman - and instead of zooming in on the slides - and decides - enough of slides - zooms in on the presenter
duhhhhh
sad