Static application security testing with open source tools

The necessity of search and hole fix in a developed product is no longer in doubt. The need for test automation is understandable too — in large systems manual testing will not be in time for all changes. A common way to automate the search for holes is to use fuzzers and scanners, they have already been discussed at Heisenbug 2018. Sometimes such approach is called Dynamic Application Security Testing (DAST). Dynamic security testing has its restrictions and drawbacks. But there is another way — we can use static code analysis to search for potential holes. Such an approach is called Static Application Security Testing (SAST).

SAST solutions market is diverse — it has commercial/full packaged products and open source projects. Odnoklassniki needed opportunities for customization and as a result, they settled on a combination of SonarQube and SpotBugs+Find Security Bugs.

The talk is dedicated to tools above for detecting holes in web application source code. Alexandra will tell what opportunities they provide OOB, how to expand them by adding own analysis rules (sometimes they are called detectors). The necessity of customization may arise if the project uses frameworks and technologies that are not yet supported.

As examples, you will see two holes: saved XSS and IDOR. For them, speaker will show how to create your rules for static analysis.

The purpose of the talk: to tell about the use of SonarQube и Find Security Bugs to search holes in your project.

Technologies: custom rules are written in Java, as an example Alexandra will demonstrate Java web application.

Targeted audience: security specialists.

People will learn about the possibility of using static code analysis for security testing and will see basic examples of adding detectors for source code analysis.