A Shock to the System: Static Analysis for Real AppSec

A Shock to the System: Static Analysis for Real AppSec - Static analysis (SA) is one of the few techniques that provides a low-level examination of source code. When SA is combined with DevOps automation and traditional pentesting, it can offer valuable insights that help with implementation and remediation efforts. Ineffective use, however, overwhelms development teams with false positives and causes dysfunctional communications with security teams. This talk goes over several toolkits for static analysis based on language and tech stack. After that, we will talk about how to use automation to create workflows for developers and application security engineers. We will conclude with cultural transformations needed to make effective use of these tools and techniques.