Bug Hunting with Static Code Analysis - Nick Jones
Вставка
- Опубліковано 2 лип 2016
- How do we make application security assessments more efficient? Finding and fixing security issues just before a release, when testing is often done, is time consuming and expensive when compared to finding issues earlier in the development cycle. In addition, paying security consultants to find basic buffer overflows and SQL injection can be time consuming and inefficient on large codebases.
This talk covers a number of automated analysis techniques for spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty bash scripts through open source and commercial analysers to custom implementations. After reviewing how these can be used as part of bug hunting and application security assessments, it then discusses how these techniques can be baked into continuous integration systems to catch bugs as early in the development cycle as possible. - Наука та технологія
02:10 statis analysis 02:58 how we do code reviews 04:50 we use static code analysis tools, commercial tools get really expensive 06:48 regular languages that can be parsed by regular expressions 09:35 regexp can't count, no way to maintain state, cannot back trace 10:37 regexp are not designed for parsing programming languagues 10:55 parser 13:07 example 13:56 AST 14:38 control-flow graph 19:14 parsers, downside 19:51 the bigger picture 23:36 tools, flawfinder, Graudit, RATS, RIPS, Brakeman 25:06 build your ownm librairies platform, clang, PLY, pyparsing
Thank you, awesome video
Thanks for sharing very useful video
Very interesting