Static Analysis Can Be Useful (Computers Don't Get Bored) |
Abstract
Static analysis tools often get a bad rap, particularly for security work. At best, they’re a useful (if dull) part of a code audit. At their worst, they’re a screed of insignificant warning messages which take longer to read than the original code. Right? Wrong! In the right hands, the best of these tools can help you get across a codebase more quickly, identifying areas of potential weakness and vulnerability. Best of all, the computer will happily read and consider every awfully-named variable in the entire Shoggoth of a codebase without getting bored or distracted. This talk will present a methodology for using these tools to help wade through a complex codebase, take a look at how to find security defects more quickly, and we’ll also craft some code snippets which will bypass the static analysers, so you can see what they can miss. The Python tool “Bandit” will be chosen for presenting examples, but the techniques are just as valid for any language or tool. Finally, for the devs (and potential devs) in the room, we’ll throw in a few pointers on how to make the universe a more secure place by contributing some code where it can do the most good. |