This information is from a previous year. Please visit shellcon.io for up to date information.
Many companies use commercial static analysis tools (SAST) to find bugs, but these SAST tools tend to be expensive, have high false positive rates, and are difficult to customize. “Lightweight” static analysis tools hit a sweet spot that is more powerful than grep but still simple enough that you can write your own.
In this talk, we’ll describe how to create your own lightweight static analysis scripts using open source libraries and tools. These techniques can be used by penetration testers to more effectively find bugs and/or integrated into CI/CD checks by security engineers to raise the security bar of the applications they support.
Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices...
Read More