SlideShare a Scribd company logo

Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance

Abdessamad TEMMAR, profile picture
Abdessamad TEMMAR

The document discusses various approaches to static analysis in application security, emphasizing the importance of identifying and mitigating vulnerabilities in software development. It explores different tools and methods, such as SAST, DAST, and dataflow analysis, outlining their pros and cons, and suggests that while tools aid in detection, secure coding practices are crucial for building secure applications. The author highlights the need for advancements in security frameworks and techniques to improve the detection and prevention of vulnerabilities in coding.

Software
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Continuous Delivery Security Assurance Vs. By : Abdessamad TEMMAR
About me • Abdessamad TEMMAR • Application Security Engineer (Siris Advisory) • Ex – full time Pentester • OWASP Contributor
What this talk is all about ? DevOps Teams Automated attacks Appsec team
Appsec Toolbelt • SCA : Dependencies Analysis • DAST (Dynamic) : Scans interface of running application • SAST (Static) : Scans source code / binaries • IAST (Interactive) : Detection at runtime • SCA : Dependencies Analysis • DAST (Dynamic) : Scans interface of running application • SAST (Static) : Scans source code / binaries • IAST (Interactive) : Detection at runtime
What is static analysis ? Source/Byte Code Analysis Findings Scanning rules (SQLi, XSS, etc)
Why static analysis ? • Easy to automate/integarte • Run anytime • Fast • Points directly to suspect code
Which SAST tool ?
Hunting Bugs To Extinction with Static Analysis The problem : • An unsecure usage of an external API : download_file • We want to identify the same issue for the hole application, and avoid it for future changes. download_file(file_id = id, search_type = "file_id") download_file(file_id = id, search_type = "path")
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Hunting Bugs To Extinction with Static Analysis The solution : Changed files File 1 File 2 PR
Success criteria Accuracy Speed Easy
$ more scan_changed_files.sh git checkout $@ --quiet files=$(git diff --name-status master HEAD | grep -E "^(A|M)" | cut -f 2) grep "download_file(.*, search_type = "path")" $files Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue $ git diff --name-status A README.md M lib/blah.py D test/new_stuff.yml
Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue • False Positives # Remember not to use download_file(file_id, search_type = "path") ! ... def download_file(file_id, search_type = "path"): ...
Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue • Pro : • Easy to use • Easy to understand • Intercative • Cons : • Line-oriented • Mismatch with program structure (trees, ASTs)
Hunting Bugs To Extinction with Static Analysis String Tree
Hunting Bugs To Extinction with Static Analysis Option 2 : AST Source/Byte Code Intermediate reprensentations Analysis Abstract Syntax Tree
Parse into AST Hunting Bugs To Extinction with Static Analysis Option 2 : AST based Program Text Output compiled code optimize Convert to intermediate form Semantic Analysis Lexical Analysis Analyze ! Output finding report Compilation AST Analysis Rule 1 : XSS Rule 2 : SQLi
Hunting Bugs To Extinction with Static Analysis Option 2 : AST
Hunting Bugs To Extinction with Static Analysis Option 2 : bandit module import bandit from bandit.core import test_properties as test @test.checks('Call') @test.test_id('B001') def unsafe_get_userinfo(context): if (context.call_function_name_qual == 'download_file' and context.call_args[1] == 'path'): return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="Unsafe usage of download_file." )
Hunting Bugs To Extinction with Static Analysis Option 2 : AST • Pros : • Robust analysis • Cons : • Learning curve • Where data originated from ?
Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow • Collect run-time (dynamic) information about data in software while it is in a static state • Sources : • Origin of data • Arbitrary inputs • Sinks : • Dangerous functions • Exploitable targets
import os def nslookup(request): domain = request.GET['domain'] os.system("nslookup " + domain) Hunting Bugs To Extinction with Static Analysis Option 3 : Source & Sink example
Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow Analysis Findings List of Sinks List of Sources
Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow List inputs = Find_Interactive_Inputs(); List download_file_calls = All.Find_By_Name("download_file"); download_file_calls = download_file_calls.FindByParameterValue(1,"path",BinaryOperator.Equal); List absolutePathTraversalSanitizers = Find_Absolute_PathTraversal_Sanitizers(); result = inputs.InfluencingOnAndNotSanitized(download_file_calls, absolutePathTraversalSanitizers);
Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow • Pro : • Unified syntaxe to write scanning rules for different languages • Tracking data flow for deep analysis • Cons : • Learning curve : very hard to tune • Distance between concerete code and correponding representation • Very slow for large code base • For projects > 2 Gb : Incremental scan = Normal scan • Libraries/frameworks = unknown sources
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Hunting Bugs To Extinction with Static Analysis Option 3 : syntactical-(and semantic)-grep • Free tool for writing lightweight checks with code patterns to find bugs using a familiar syntax. • An in-between solution • Good support : Go · Java · JavaScript · JSON · Python · Ruby • Beta : TypeScript · JSX · TSX $ semgrep -lang python -e 'subprocess.open(...)' /path/to/my/project
Hunting Bugs To Extinction with Static Analysis Option 3 : syntactical-(and semantic)-grep $ more rules.yaml rules: - id: unsafe-usage-download_file pattern: download_file($X, search_type = "path") message: Unsafe usage of download_file method languages: [python] severity: WARNING $ docker run --rm -v $(pwd):/home/repo returntocorp/semgrep –f rules.yaml file.py
Hunting Bugs To Extinction with Static Analysis Technique 3 : syntactical-(and semantic)-grep • Pros : • Fast • Easy to learn • Cons : • We can’t track data over multiple files
Lightweight / Basic Check AST/CFG/… Complexe Check Custom security policies +++ ++ Ease of use +++ + Speed Analysis +++ + Code coverage ++ +++ To sum up …
It's not all about detecting issues … • Remember : the goal is to write secure apps … • "Tools can't find every bug (FNs) … trying to will yield way too many FPs" - @clintgibler • The raise of secure by default framework ! • Angular : grep dangerouslySetInnerHTML
Advances in Secure Coding Frameworks - Jim Manico - AppSec California 2016 It’s not all about detecting issues … Lightweight / Basic Check AST/CFG/… Complexe Check Lightweight / Basic Check + Secure by default Custom security policies +++ ++ +++ Ease of use +++ + +++ Speed Analysis +++ + +++ Code coverage + +++ ++
What does the future hold for us ? Years Years 2010 2015 2030 10 10^4 10^8 10^12 10^14 Electromechanical Speed x Accuracy Vaccum tube Transistor Integrated circuit Computation / sec AST/CFG Analysis Lightweight static analysis
THANKS! Any questions? You can find me at : TWITTER : @abdel_tmr LINKEDIN : /in/abdessamad-temmar/

More Related Content

PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PPT
Code Quality - Security
sedukull
 
PPTX
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
PDF
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Code Quality - Security
sedukull
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 

What's hot (20)

PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PPTX
Security Testing for Containerized Applications
Soluto
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
PPTX
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
PDF
Why should developers care about container security?
Eric Smalling
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
PDF
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon
 
PDF
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
PPTX
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPT
Securing Apache Web Servers
Information Technology
 
PPTX
InSpec Workshop DevSecCon 2017
Mandi Walls
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
DevOps & Security: Here & Now
Checkmarx
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Security Testing for Containerized Applications
Soluto
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
DevSecOps | DevOps Sec
Rubal Jain
 
How to Get Started with DevSecOps
CYBRIC
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
Why should developers care about container security?
Eric Smalling
 
Integrating security into Continuous Delivery
Tom Stiehm
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Scale security for a dollar or less
Mohammed A. Imran
 
Securing Apache Web Servers
Information Technology
 
InSpec Workshop DevSecCon 2017
Mandi Walls
 
Ad

Similar to Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance (20)

PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PDF
Fuzzing - Part 1
UTD Computer Security Group
 
PPTX
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
PDF
Reducing Redundancies in Multi-Revision Code Analysis
Sebastiano Panichella
 
PDF
Webinar alain-2009-03-04-clamav
thc2cat
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PPTX
Next-generation sequencing data format and visualization with ngs.plot 2015
Li Shen
 
KEY
Testing Zen
day
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PPTX
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Graeme Jenkinson
 
PPTX
Building next gen malware behavioural analysis environment
isc2-hellenic
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PDF
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
PPTX
Defending Your "Gold"
Will Schroeder
 
PPT
Attacks against Microsoft network web clients
Positive Hack Days
 
PDF
Justin collins - Practical Static Analysis for continuous application delivery
DevSecCon
 
PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
PDF
PAC 2019 virtual Christoph NEUMÜLLER
Neotys
 
PDF
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
 
PDF
Web application security and Python security best practices
PGS Software S.A.
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
Fuzzing - Part 1
UTD Computer Security Group
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Reducing Redundancies in Multi-Revision Code Analysis
Sebastiano Panichella
 
Webinar alain-2009-03-04-clamav
thc2cat
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Next-generation sequencing data format and visualization with ngs.plot 2015
Li Shen
 
Testing Zen
day
 
Introduction to Malware Analysis
Andrew McNicol
 
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Graeme Jenkinson
 
Building next gen malware behavioural analysis environment
isc2-hellenic
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Defending Your "Gold"
Will Schroeder
 
Attacks against Microsoft network web clients
Positive Hack Days
 
Justin collins - Practical Static Analysis for continuous application delivery
DevSecCon
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
PAC 2019 virtual Christoph NEUMÜLLER
Neotys
 
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
 
Web application security and Python security best practices
PGS Software S.A.
 
Ad

Recently uploaded (20)

PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
System and Network Administration Chapter 2
jaramharo
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 

Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance

  • 1. Continuous Delivery Security Assurance Vs. By : Abdessamad TEMMAR
  • 2. About me • Abdessamad TEMMAR • Application Security Engineer (Siris Advisory) • Ex – full time Pentester • OWASP Contributor
  • 3. What this talk is all about ? DevOps Teams Automated attacks Appsec team
  • 4. Appsec Toolbelt • SCA : Dependencies Analysis • DAST (Dynamic) : Scans interface of running application • SAST (Static) : Scans source code / binaries • IAST (Interactive) : Detection at runtime • SCA : Dependencies Analysis • DAST (Dynamic) : Scans interface of running application • SAST (Static) : Scans source code / binaries • IAST (Interactive) : Detection at runtime
  • 5. What is static analysis ? Source/Byte Code Analysis Findings Scanning rules (SQLi, XSS, etc)
  • 6. Why static analysis ? • Easy to automate/integarte • Run anytime • Fast • Points directly to suspect code
  • 8. Hunting Bugs To Extinction with Static Analysis The problem : • An unsecure usage of an external API : download_file • We want to identify the same issue for the hole application, and avoid it for future changes. download_file(file_id = id, search_type = "file_id") download_file(file_id = id, search_type = "path")
  • 10. Hunting Bugs To Extinction with Static Analysis The solution : Changed files File 1 File 2 PR
  • 12. $ more scan_changed_files.sh git checkout $@ --quiet files=$(git diff --name-status master HEAD | grep -E "^(A|M)" | cut -f 2) grep "download_file(.*, search_type = "path")" $files Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue $ git diff --name-status A README.md M lib/blah.py D test/new_stuff.yml
  • 13. Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue • False Positives # Remember not to use download_file(file_id, search_type = "path") ! ... def download_file(file_id, search_type = "path"): ...
  • 14. Hunting Bugs To Extinction with Static Analysis Option 1 : grep for the rescue • Pro : • Easy to use • Easy to understand • Intercative • Cons : • Line-oriented • Mismatch with program structure (trees, ASTs)
  • 15. Hunting Bugs To Extinction with Static Analysis String Tree
  • 16. Hunting Bugs To Extinction with Static Analysis Option 2 : AST Source/Byte Code Intermediate reprensentations Analysis Abstract Syntax Tree
  • 17. Parse into AST Hunting Bugs To Extinction with Static Analysis Option 2 : AST based Program Text Output compiled code optimize Convert to intermediate form Semantic Analysis Lexical Analysis Analyze ! Output finding report Compilation AST Analysis Rule 1 : XSS Rule 2 : SQLi
  • 18. Hunting Bugs To Extinction with Static Analysis Option 2 : AST
  • 19. Hunting Bugs To Extinction with Static Analysis Option 2 : bandit module import bandit from bandit.core import test_properties as test @test.checks('Call') @test.test_id('B001') def unsafe_get_userinfo(context): if (context.call_function_name_qual == 'download_file' and context.call_args[1] == 'path'): return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="Unsafe usage of download_file." )
  • 20. Hunting Bugs To Extinction with Static Analysis Option 2 : AST • Pros : • Robust analysis • Cons : • Learning curve • Where data originated from ?
  • 21. Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow • Collect run-time (dynamic) information about data in software while it is in a static state • Sources : • Origin of data • Arbitrary inputs • Sinks : • Dangerous functions • Exploitable targets
  • 22. import os def nslookup(request): domain = request.GET['domain'] os.system("nslookup " + domain) Hunting Bugs To Extinction with Static Analysis Option 3 : Source & Sink example
  • 23. Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow Analysis Findings List of Sinks List of Sources
  • 24. Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow List inputs = Find_Interactive_Inputs(); List download_file_calls = All.Find_By_Name("download_file"); download_file_calls = download_file_calls.FindByParameterValue(1,"path",BinaryOperator.Equal); List absolutePathTraversalSanitizers = Find_Absolute_PathTraversal_Sanitizers(); result = inputs.InfluencingOnAndNotSanitized(download_file_calls, absolutePathTraversalSanitizers);
  • 25. Hunting Bugs To Extinction with Static Analysis Option 3 : Dataflow • Pro : • Unified syntaxe to write scanning rules for different languages • Tracking data flow for deep analysis • Cons : • Learning curve : very hard to tune • Distance between concerete code and correponding representation • Very slow for large code base • For projects > 2 Gb : Incremental scan = Normal scan • Libraries/frameworks = unknown sources
  • 27. Hunting Bugs To Extinction with Static Analysis Option 3 : syntactical-(and semantic)-grep • Free tool for writing lightweight checks with code patterns to find bugs using a familiar syntax. • An in-between solution • Good support : Go · Java · JavaScript · JSON · Python · Ruby • Beta : TypeScript · JSX · TSX $ semgrep -lang python -e 'subprocess.open(...)' /path/to/my/project
  • 28. Hunting Bugs To Extinction with Static Analysis Option 3 : syntactical-(and semantic)-grep $ more rules.yaml rules: - id: unsafe-usage-download_file pattern: download_file($X, search_type = "path") message: Unsafe usage of download_file method languages: [python] severity: WARNING $ docker run --rm -v $(pwd):/home/repo returntocorp/semgrep –f rules.yaml file.py
  • 29. Hunting Bugs To Extinction with Static Analysis Technique 3 : syntactical-(and semantic)-grep • Pros : • Fast • Easy to learn • Cons : • We can’t track data over multiple files
  • 30. Lightweight / Basic Check AST/CFG/… Complexe Check Custom security policies +++ ++ Ease of use +++ + Speed Analysis +++ + Code coverage ++ +++ To sum up …
  • 31. It's not all about detecting issues … • Remember : the goal is to write secure apps … • "Tools can't find every bug (FNs) … trying to will yield way too many FPs" - @clintgibler • The raise of secure by default framework ! • Angular : grep dangerouslySetInnerHTML
  • 32. Advances in Secure Coding Frameworks - Jim Manico - AppSec California 2016 It’s not all about detecting issues … Lightweight / Basic Check AST/CFG/… Complexe Check Lightweight / Basic Check + Secure by default Custom security policies +++ ++ +++ Ease of use +++ + +++ Speed Analysis +++ + +++ Code coverage + +++ ++
  • 33. What does the future hold for us ? Years Years 2010 2015 2030 10 10^4 10^8 10^12 10^14 Electromechanical Speed x Accuracy Vaccum tube Transistor Integrated circuit Computation / sec AST/CFG Analysis Lightweight static analysis
  • 34. THANKS! Any questions? You can find me at : TWITTER : @abdel_tmr LINKEDIN : /in/abdessamad-temmar/