Bug Hunting with Static Code Analysis - Nick Jones

How do we make application security assessments more efficient? Finding and fixing security issues just before a release, when testing is often done, is time consuming and expensive when compared to finding issues earlier in the development cycle. In addition, paying security consultants to find basic buffer overflows and SQL injection can be time consuming and inefficient on large codebases. This talk covers a number of automated analysis techniques for spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty bash scripts through open source and commercial analysers to custom implementations. After reviewing how these can be used as part of bug hunting and application security assessments, it then discusses how these techniques can be baked into continuous integration systems to catch bugs as early in the development cycle as possible.

Join Today
Open Source Malware Lab - Robert Simmons
▶︎

Open Source Malware Lab - Robert Simmons

CppCon 2015: Jason Turner “The Current State of (free) Static Analysis"
▶︎

CppCon 2015: Jason Turner “The Current State of (free) Static Analysis"

DEF CON 32 - Anyone can hack IoT- Beginner’s Guide to Hacking Your First IoT Device - Andrew Bellini
▶︎

DEF CON 32 - Anyone can hack IoT- Beginner’s Guide to Hacking Your First IoT Device - Andrew Bellini

[2019] The Absolute AppSec Secure Code Review Framework by Seth Law
▶︎

[2019] The Absolute AppSec Secure Code Review Framework by Seth Law

Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017
▶︎

Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017

Side-Channel Attacks on Everyday Applications
▶︎

Side-Channel Attacks on Everyday Applications

Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018
▶︎

Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018

What is Static Code Analysis? | AppSec 101
▶︎

What is Static Code Analysis? | AppSec 101

How to Analyze Code for Vulnerabilities
▶︎

How to Analyze Code for Vulnerabilities

DEF CON 33 - Cash, Drugs, and Guns - Why Your Safes Aren't Safe - Mark Omo, James Rowley
▶︎

DEF CON 33 - Cash, Drugs, and Guns - Why Your Safes Aren't Safe - Mark Omo, James Rowley

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

Tesla - Live Bug Hunting on Bugcrowd | Bug Bounty | Recon part 3
▶︎

Tesla - Live Bug Hunting on Bugcrowd | Bug Bounty | Recon part 3

iOS Malware: Myth or Reality? - Julien Bachmann
▶︎

iOS Malware: Myth or Reality? - Julien Bachmann

How to Do Code Reviews Like a Human
▶︎

How to Do Code Reviews Like a Human

Finding Vulnerabilities through Static Analysis and Scripting
▶︎

Finding Vulnerabilities through Static Analysis and Scripting

Unite 2016 - Static Code Analysis: Preventing Bugs and Lag Before They Happen
▶︎

Unite 2016 - Static Code Analysis: Preventing Bugs and Lag Before They Happen

Clean Coders Hate What Happens to Your Code When You Use These Enterprise Programming Tricks
▶︎

Clean Coders Hate What Happens to Your Code When You Use These Enterprise Programming Tricks

James Kettle - Backslash Powered Scanning: Implementing Human Intuition
▶︎

James Kettle - Backslash Powered Scanning: Implementing Human Intuition

k20 - Attacking Secondary Contexts in Web Applications - Sam Curry
▶︎

k20 - Attacking Secondary Contexts in Web Applications - Sam Curry

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
▶︎

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface