Javascript Security from Mayhem to Order
Details
JavaScript developers were always left between hard choices, either to use security tools that are not built for them or free/open-source tools that generate way too many false positives or poor coverage. One of the prime reasons for this dilemma is the lack of technologies that understand the untyped nature of JavaScript. The dynamic nature of JavaScript, in addition to the lack of types, gives a typical static analysis tool a very hard problem to solve.
A new technology called DataLog solves that problem in a fundamentally different way, giving developers new hope. During this presentation we will go over:
how static code analysis has changed over the years
how DataLog technology solves some of the inherent problems of static code analysis such as speed, accuracy and coverage
how concepts like treating code as data, and partial evaluations are changing the game completely
We will also introduce a new static code analysis tool called Reshift which is built on top of open-source tools and leverages DataLog technology. Reshift is changing the bad reputation that static code analysis amassed over the years and now developers can finally have it all - accuracy, speed and coverage.
OUR GUEST: SHERIF KOUSSA
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured (https://www.softwaresecured.com) and Reshift (https://www.reshiftsecurity.com).
In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets.
Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses.
After switching from software development to the field of security, Sherif took on the mission of supporting developers shift security left, and ship more secure code organically.
Whether through training, penetration testing as a service or coaching development teams through shifting security, Sherif believes that any AppSec without the developer wouldn’t yield the best results.
Sherif’s current venture, Reshift Security, is a static code analysis tool that is built for developers with an experience from the IDE, over to the code review and CI phases.