AppSec California 2017

The Continuous Integration and Extreme Programming models, coupled with A/B testing make it nearly impossible for security teams to keep up with the pace of development and to test all the possible software configurations exposed to the public.

Many organizations turn to automation for help, but fail to fully integrate it into all phases of their Software Development Lifecycle. Most inordinately rely on dynamic analysis tools, which lack the ability to provide thorough code coverage and run at the end of the development process, increasing the cost of finding and remediating vulnerabilities.

While security teams are aware of the benefits of automation, many lack exposure to the tools used in the development and build processes. Additionally, many security teams face budgetary constraints which prevent access to expensive software suites designed to find vulnerabilities in software, find the commercial tools lacking, or simply are unable to find software which support the development languages or frameworks in use in their organizations.

This talk will cover how and where to integrate automation into common Version Control and Build Server software, such as Git, GitHub and Jenkins, allowing for testing throughout the SDLC and greater code coverage.

In this talk, attendees will also learn how to create custom static code analysis tools to find new vulnerabilities and prevent recurrences of known vulnerabilities. This will include how to create parsers, lexers, define grammars and walk parse trees.