By Dan Cornell
I was up in Houston last weekend for the rescheduled Houston TechFest. The hurricane delayed this from the original date, but the event was still packed.
I flew into Houston for the day to give my talk on Static Analysis Techniques for Testing Application Security. Unfortunately, when I was headed to my early-morning flight, I noticed that the airport had been overrun by birds:
Yikes! I didn't know who my pilot was, but I wasn't convinced he would be able to successfully land a 737 in the San Antonio River. After all, the Hudson is a little wider than the Riverwalk...
Fortunately I made it to Houston all right and checked in with the TechFest folks. The event was at the University of Houston so I went to the bottom of the student center where the event was being held to try and get some work done before my talk. I soon found myself trapped between a bunch of martial arts students:
And some folks playing "Magic - The Gathering" :
No offense to the "Magic - The Gathering" crowd, but I had to cast my lot with the martial arts folks. Cards representing elven chain mail and whatnot are no match for a crowd of folks ready to break actual bricks with their hands.
Fortunately everyone got to remain friends and I made it to my talk unscathed.
There was a great group there and we had some great questions such as:
- Does the fact that most .NET static analysis tools rely on decompiling MISL make .NET, as a language, less secure than Java? (Both Java bytecodes and .NET MSIL are pretty easy to decompile, so there aren't a ton of differences there. .NET static analysis tools usually use MSIL binaries because .NET code exists in a variety of languages and it is easier to write one parser/decompiler for MSIL that will work for all .NET languages wheras Java bytecode is almost always compiled from Java source code, thus making Java source or Java bytecode reasonably equally attractive choices for tool builders.)
- Are there any subsets of PMD rules that are best for running security checks? (There are security-specific PMD checks, but they are mainly related to API misuse. I don't know of any collection that includes the explicit security rules along with rules from other categories that often have security implications.)
One thing I talked about Saturday that was relatively new was the OWASP Open Review Project (ORPRO) which provides advanced static analysis capabilities for open source projects.
Overall it was a great session and I will be posting the slide deck shortly.
dan _at_ denimgroup.com