secappdev.org's video: Applying static analysis - Matias Madou and Daan Raman

Where architectural analysis finds flaws (design) in the application, static analysis is an excellent way of weeding out the bugs (implementation). However, static analysis is neither trivial from a theoretical nor from a practical perspective. In this session, we will discuss the theory behind static analysis as well as how to tune static analysis in such way that the solution becomes an excellent way to weed out security bugs in your organization. In this talk, we will talk about: + The importance of static analysis + Positioning of static analysis into the SDLC + Key difference between static analysis and penetration testing + Manual code review vs static analysis + Static Analysis Theory + Static Analysis in Practice + Working static analysis into the development process This lecture was delivered at SecAppDev 2015 in Leuven, Belgium. Matias Madou has over a decade of hands-on software security experience. From the research to improve existing solutions to scoping and providing the vision for new solutions. A dozen patents and a bunch of papers are the result of the fundamental research that eventually led to a handful of commercial products. He holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. He spent 7 years at HP/Fortify improving the leading static analysis solution and creating a hand-full of runtime products. Matias spoke at conferences including RSA Conference, BlackHat and DefCon. Daan Raman is a security consultant at NVISO, and specializes mostly in software security. He mainly uses his software engineering skills during penetration tests and code reviews of mobile and desktop applications. He is additionally responsible for NVISO’s Research & Development team, leading technical research with a focus on application security for mobile ecosystems and malware analysis.