Free as in Beer: Building a low cost static analysis program
10-12, 17:00–17:50 (US/Pacific), The Point

Static analysis can be expensive, time consuming, full of false positives, a pain in the rear to manage multiple languages, and not very configurable. But no more! At Slack, we’ve designed a static analysis program which utilizes one free, highly configurable tool to scan over 60 different codebases in six languages and has saved us over $700,000 annually. Semgrep, an open source static analysis engine, uses highly configurable rules. Tuning these rules to our specific environment saves developer time while providing useful guard rails against dangerous code patterns. We’ve been able to reduce false positives by over 80%, and we’ve removed rules that don’t apply in our environment. Adding a new codebase to our scanning pipeline adds almost no additional overhead; we merely add one line to a file to enable the scans and review new results. Implementing our program this way has allowed us to meet our compliance requirements while providing a useful, low overhead static analysis program.

Scaling static analysis across languages and multiple codebases is a difficult process at best. Here we walk through our setup, which we've designed to be easy to maintain, trivial to add additional codebases, and provide few false positives. Plus, the primary tool we use is free, as in beer. Cheers.

Erin Browning is a computer security researcher. She has worked at Latacora as a senior engineer and HCSC as a red team member. Currently, she works at Slack in product security. She teamed up with @fbz to create the cryptography scarf puzzle for Hushcon 2019.

This speaker also appears in:

Staff security engineer at slack. Years of experience working on SAST, IAST, and implementing application security programs. In a previous life did infrastructure prod support and development testing.