»Static code analysis should work for developers, not for you«
2019-11-08, 14:30–14:55, Blue Day

Most commercial static analysis tools today are generic and ineffective. They are not developer oriented as they are built for security professionals. In this presentation, we’ll discuss how we made the process developer friendly by building a code analysis platform that provides relevant findings during code review, with the help of open source static analysis tools.

Most of the commercial static analysis tools today are generic, full of false positives, and are unfriendly to developers. These products try to cover every language, vulnerability type, and environment in every company. To appear effective, they focus on finding a long list of vulnerabilities that are only comprehensible to the security team. This exhaustive collection of low quality bugs doesn’t inspire developers to use the results to improve their code's security.

In this presentation, we’ll discuss how we made the process developer friendly. We built a static code analysis platform that only provides relevant findings during code review. We constantly improve the platform by adding custom tools through a plug-in model and by enhancing finding accuracy through triage and developer feedback. Finally, we’ll illustrate how this approach is a feasible option for companies of any size.

This session is ideal for blue team members passionate about making security developer friendly. Let’s discuss how to make static analysis more than just security theater.

See also: Slides