Bringing Order to Static Analysis Security Testing

Event Feedback Form: https://forms.gle/BTiPzS2FKqp9FPHg8

Bringing Order to Static Analysis Security Testing

Software developers were always left with two hard choices, either use security tools that are not built for them, or use free/open-source tools that generate too many false positives and have poor coverage. One of the prime reasons for this dilemma is that traditionally the security workload was managed by application security teams who would find vulnerabilities and filter through false positives. Now with agile development and DevOps workflows, now there is no option for developers to opt out of secure development.

New technology called DataLog solves that problem in a fundamentally different way, giving developers new hope. During this presentation we will go over:
* how static code analysis has changed over the years
* how DataLog technology solves some of the inherent problems of static code analysis such as speed, accuracy and coverage
* how concepts like treating code as data, and partial evaluations are changing the game completely.

We will also introduce a new static code analysis tool called Reshift which is built on top of open source tools and leverages DataLog technology. Reshift is changing the bad reputation that static code analysis amassed over the years and now developers can finally have it all - accuracy, speed and coverage.

Presenter:

Sherif Koussa

Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured (https://www.softwaresecured.com) and Reshift (https://www.reshiftsecurity.com). In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically. Whether through training, penetration testing as a service or coaching development teams through shifting security, Sherif believes that any AppSec without the developer wouldn’t yield the best results. Sherif’s current venture, Reshift Security, is a static code analysis tool that is built for developers from the IDE, over to the code review and CI phases.