A Shock to the System: Static Analysis for Real AppSec
Static analysis (SA) is one of the few techniques that provides a low-level examination of source code. When SA is combined with DevOps automation and traditional pentesting, it can offer valuable insights that help with implementation and remediation efforts. Ineffective use, however, overwhelms development teams with false positives and causes dysfunctional communications with security teams. This talk goes over several toolkits for static analysis based on language and tech stack. After that, we will talk about how to use automation to create workflows for developers and application security engineers. We will conclude with cultural transformations needed to make effective use of these tools and techniques.
Ochaun (pronounced O-shawn) Marshall is an application security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. When he is not swallowing gallons of the DevOps Kool-Aid, he can be found blasting J Cole while hacking, blogging, and coding. He covers everything he does with the signature phrase: I code; I teach; I hack.