Bug hunting with static code analysis

By Nick Jones on 8 July, 2016

Nick Jones presented "Bug hunting with static code analysis" at BSides London 2016. 

How do we make application security assessments more efficient? Finding and fixing security issues just before a release, when testing is often done, is time consuming and expensive when compared to finding issues earlier in the development cycle. In addition, paying security consultants to find basic buffer overflows and SQL injection can be time consuming and inefficient on large codebases. 

This talk covers a number of automated analysis techniques for spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty bash scripts through open source and commercial analysers to custom implementations. After reviewing how these can be used as part of bug hunting and application security assessments, it then discusses how these techniques can be baked into continuous integration systems to catch bugs as early in the development cycle as possible.