logo
Banner Static Analysis Day 2021

8. Static Analysis Days 2021 - DIGITAL

The 8th Static Analysis Days took place digitally on 5th and 6th May 2021 with numerous of participants from all German speaking countries.

Because some of the presentations were held in German, we have only linked the English presentations for you.


DevSecOps – Detecting 0-day and N-day vulnerabilities, everyday.

(Walter Capitani, Director Technical Product Management, GrammaTech Inc. USA)
The software development industry is in the midst of a shift to integrating security into the software development process - this is often referred to as DevSecOps, the combination of Development, Security and Operations.
A key part of the DevSecOps movement is to perform security testing as close to the developer as possible to find vulnerabilities earlier in the development cycle. A proven technique to find issues early is the integration of Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools into CI/CD pipelines.
Integration of these tools will execute tests and detect new vulnerabilities automatically with every code change.
Join this session to learn how the latest release of GrammaTech’s CodeSonar and CodeSentry solutions work together to support DevSecOps and detect N-day vulnerabilities in your source code, binaries, and 3rd party software components.
Presentation slides (pdf)         watch Video now on YouTube

Finding the Serious Bugs that Matter with Advanced Static Analysis

(Dr. Paul Anderson, Vice President of Engineering, GrammaTech Inc. USA)
Many teams use static analysis tools primarily to enforce coding standards like MISRA that are designed to make programming in highly risky languages such as C and C++ much less hazardous. However, because C and C++ are such dangerous languages, programs that seem perfectly compliant with these standards may still contain serious defects and security vulnerabilities due to the inadvertent introduction of undefined behavior.
The primary purpose of advanced static analysis tools is to see past the superficial syntactic properties of programs and into their deep semantic meaning, and by doing so, find those bugs.
This talk will describe how these tools work, and will show some concrete examples of real bugs that they found in production code, despite the code having gone through style checking, manual review, and testing.
Finally, you will get a taste of how users can customize the tools to their own domain, thereby allowing users to greatly increase the value they receive from using them.
Presentation slides (pdf)         watch Video now on YouTube

Finding N-day Security Vulnerabilities in Third-party Software

(Dr. Paul Anderson, Vice President of Engineering, GrammaTech Inc. USA)
An N-day vulnerability is a known security problem for which a fix is available, but where the fix has not been applied due to oversight, poor practice, or misunderstanding.
To identify such risky components, Software Composition Analysis tools are available to scan the source code for matches against a database of known code vulnerabilities in versioned components.
This problem is particularly acute for organizations that receive software binary code from their suppliers because the source code is unavailable to scan. This talk introduces a new technique for identifying N-day vulnerabilities in binary components.
Under the hood are a set of identification algorithms that use a variety of techniques including machine learning that work in concert to produce a software bill of materials enumerating the components used in the compilation of the binary. This is then cross-checked against vulnerability databases to produce a report that assesses the risk of the program as a whole.
Presentation slides (pdf)         watch Video now on YouTube

Tools to Perform a Security Review on Unknown Code

(John Blattner, President Imagix Corp. and Walter Capitani, Director Technical Product Management, GrammaTech Inc. USA)
Performing a deep security review on third party code is hard. You typically receive a bunch of source code, no design documents, very little comments in the source code. Still, you have to do an assessment of the code and provide a risk score.
Where do you get started?
Learn how tools can help. GrammaTech CodeSonar can perform deep static application security testing on the source code. The result is a set of warnings of things that may be risky. Still, to understand whether a problem, say a buffer overrun, is externally triggerable, you would need to understand the design of the application. This is where Imagix 4D comes in, it can overlay the path of the static analysis warning over a design that is reverse engineered from the source code. And that is just one of the many tricks.
Presentation slides (pdf)         watch Video now on YouTube



Speakers

Paul Anderson

Dr. Paul Anderson

Paul Anderson heads the development department at GrammaTech (USA), one of the leading manufacturers of static code analysis tools. He graduated with a Bachelor's degree from Kings College of London University and a PhD from the City University of London. The results of Paul Anderson's work have been cited in numerous articles, publications, books and international conferences. Dr Anderson has more than 20 years of experience in the development of static analysis tools and automated testing tools.
David Baltzer

M.Sc. Jan-David Baltzer

Jan-David Baltzer earned his Master of Science degree in the Computer Science Master's programme at the University of Applied Sciences in Offenburg. Since then, he has been working at the company Verifysoft Technology GmbH in the department for static code analysis tools. He is responsible for handling support cases and conducting product training for the GrammaTech, CodeSonar and Imagix 4D tools.
John Blattner

John Blattner

John Blattner is a founder of Imagix Corporation. He has more than 30 years of experience developing reverse engineering tools. John holds a BA in engineering from Yale University, an MBA from Stanford University, and has two US patents.
Walter Capitani

Walter Capitani

Walter Capitani, Director, Technical Product Management for GrammaTech is a recognized expert in embedded and enterprise software security. He has led global product development teams focused on safety-critical and secure software, SaaS application performance, file distribution applications for broadcast television and cinema, and 3D video compression and transmission technology.
Royd Lüdtke

Dipl.-Ing. (FH) Royd Lüdtke

Royd Lüdtke, a graduate engineer, manages pre-sales and support for static code analysis tools in German-speaking countries at Verifysoft. Royd Lüdtke has extensive professional experience as an application engineer and consultant at a variety of companies and institutions such as New Era Of Networks, Sybase, Rogue Wave Software and the Fraunhofer Institute. Royd Lüdtke studied electrical engineering and power engineering in Dortmund, owns several patents and he is an author of publications in the IT field.




Static Code Analysis Day 2021 Online
Static Code Analysis Day 2021 Introduction Klaus Lambertz
Static Code Analysis Day 2021 Walter John Klaus
Static Code Analysis Day 2021 Royd
Static Code Analysis Day 2021 Refactoring
Static Code Analysis Day 2021 Royd
Static Analysis Day 2021 - Paul Anderson
Static Analysis Day 2021 - John - Walter
Static Analysis Day 2021 - Paul - Machine Learning
Static Analysis Day 2021 - Walter - DevSecOps
Static Analysis Day 2021 - David
Static Analysis Day 2021 - Royd
GrammaTech CodeSonar

GrammaTech CodeSonar