Practical static analysis for continuous application security
Static code analysis tools, which attempt determine what code does without actually running the code, provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result, very few tools exist and commercial tools are very expensive. On top of that, commercial tools are often not built for continuous integration and they may not support the languages and frameworks you use.
The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! This workshop will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing your very own static analysis tool.