Static Analysis: The Art Of Fighting Without Fighting
Rob Ragan
Most programmers don't have software security knowledge. Even if an
organization sends their programmers to software security training, old
habits are hard to break. Why not automate the process of finding security
vulnerabilities in code? Static analysis is the process of analyzing code
without executing it. This presentation will cover the internal workings of
advanced static analysis tools. Specifically focusing on using static
analysis to find security vulnerabilities in web applications. Static
analysis tools take source code as input and build a model of the program.
Then perform analysis on the program model and finally output results.
Various techniques will be reviewed including lexical parsing, semantic
analysis, control flow, and data flow analysis. In addition to common
techniques such as applying compiler theory, some new algorithms will be
discussed. To demonstrate the process, some manual vulnerability analysis
will be performed on .NET assemblies.
Prerequisites:
Web security knowledge
Software development experience
.NET experience
Recent comments
8 weeks 3 days ago
12 weeks 6 days ago
14 weeks 2 days ago
14 weeks 3 days ago
14 weeks 3 days ago
14 weeks 3 days ago
14 weeks 3 days ago
20 weeks 1 day ago
21 weeks 21 hours ago
21 weeks 1 day ago