Augmenting Penetration Testing with Lightweight Static Analysis

Have you ever ran an open source or commercial static analysis tool to help you find bugs in a code base, only to have it spit out more “findings” than atoms in the observable universe? Have you ever muttered unkind words about security vendor engineers into your whiskey glass before downing it, in an unsuccessful attempt to drown your sorrows?

We feel your pain. In our security consulting work, we’ve seen firsthand how difficult it can be to get value from security scanning tools, both when we’ve used them as well as when our clients have.

But believe it or not, static analysis can actually be pretty useful. For instance, you can:

  • Search for secrets in source code by grepping only string literals, ignoring code constructs (like method, class, and variable names as well as comments) that are noisy and clutter your results.
  • Find missing access control checks by searching for controller endpoints that don’t call a given authorization method.

While many commercial SAST tools seem overly heavyweight and return too many false positives, there are a number of lightweight static analysis techniques that can be high signal and are simple enough that you can “roll your own.”

We’ll present an overview as well as implementation details of how static analysis tools work, giving you insight into SAST tool internals and enabling you to build your own. We’ll cover:

  • Lexing, parsing, and constructing abstract syntax trees (ASTs)
  • Detecting taint analysis-type vulnerabilities (e.g. XSS, SQLi, command injection, ...) - sources, sinks, transfer, and cleanse functions
  • Static analysis challenges - supporting many languages, dynamic typing, eval/reflection constructs, container types, path explosion, aliasing, and precision vs. memory and speed trade-offs

We’ll release a free tool that makes writing custom static analysis checks easy, and guide attendees through hands-on exercises where you’ll tackle real-world problems.

Time permitting, we’ll also give a brief tour of other types of program analysis - fuzzing, symbolic execution, model checking, and more; covering, in essence, what are all the ways you can build tools to find bugs?

Clint Gibler

Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies ranging from large enterprises to new startups. Clint is also a co-founder of Practical Program Analysis LLC.

Clint has spoken at a number of conferences, including BlackHat USA, AppSec EU, AppSec Cali, Virus Bulletin, and others. Clint holds a Ph.D. in Computer Science from the University of California, Davis, where his research focused on mobile security.

Daniel DeFreez

Daniel DeFreez is a co-founder of Practical Program Analysis LLC, a boutique security firm specializing in building security tools that make pen testers and security engineers more efficient. Daniel is also currently a PhD student at the University of California, Davis, where his research focuses in developing program analysis techniques to find bugs in the Linux kernel.