Many companies use commercial static analysis tools (SAST) to find bugs, but these SAST tools tend to be expensive, have high false positive rates, and are difficult to customize. “Lightweight” static analysis tools hit a sweet spot that is more powerful than grep but still simple enough that you can write your own.

In this talk, we’ll describe how to create your own lightweight static analysis scripts using open source libraries and tools. These techniques can be used by penetration testers to more effectively find bugs and/or integrated into CI/CD checks by security engineers to raise the security bar of the applications they support.

Clint Gibler

Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices...
Read More

• Twitter: @clintgibler

Daniel DeFreez

Daniel is a Ph.D. candidate at the University of California, Davis. His research focuses on developing scalable static analysis techniques to find error-handling defects in systems software. He has designed...
Read More

• Twitter: @defreez