InfoQ

News

Presentation: Secure Programming with Static Analysis

Posted by Niclas Nilsson on Aug 06, 2008 10:20 AM

Community
Architecture
Topics
Code Analysis,
Security
Tags
Code Reviews,
Static Analysis

Creating secure code is a hard thing to do. The number of things to get right is almost endless and the price for not succeeding can be extremely high.

In this talk, Brian Chess explains how static source code analysis can help finding the kinds of errors that leads to vulnerabilities and exploits. Highlights from the talk include:

  • The most common security shortcuts and why they lead to security failures
  • Why programmers are in the best position to get security right
  • Where to look for security problems
  • How static analysis helps
  • The critical attributes and algorithms that make or break a static analysis tool
  • How static analysis works and how to integrate it into the software development processes and security code reviews.

Along the way, Brian shows examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

To learn more, spend the next hour on Brian’s presentation: Secure Programming with Static Analysis

2 comments

Reply

Video doesn't seem to work after approximately 30 mins by nik jan Posted Aug 7, 2008 7:35 PM
Re: Video doesn't seem to work after approximately 30 mins by Cristi Buta Posted Aug 8, 2008 8:14 AM
  1. Nice presentation but couldn't watch all.

  2. I was able to watch the full presentation without any problem. Try dragging the progress indicator over the 30 mins and see what happens.

Exclusive Content

Agile and Beyond - The Power of Aspirational Teams

Tim Mackinnon talks about the aspirations behind the Agile principles and practices, the desire to become efficient, to write quality code which does not end up being thrown away.

Concurrency: Past and Present

Brian Goetz discusses the difficulties of creating multithreaded programs correctly, incorrect synchronization, race conditions, deadlock, STM, concurrency, alternatives to threads, Erlang, Scala.

ActionScript 3 for Java Programmers

Often the hardest part of changing technologies is language syntax differences. This new article provides Java developers with a transition guide to Actionscript which forms the foundation of Flex.

Neal Ford On Programming Languages and Platforms

Neal Ford talks about having multiple languages running on one of the two major platforms: Java and .NET. He also presents the advantages offered by Ruby compared to static languages like Java or C#.

Future Directions for Agile

David Anderson talks about the history of Agile, the current status of it and his vision for the future. The role of Agile consists in finding ways to implement its principles.

Nick Sieger on JRuby

Nick Sieger talks about the future of JRuby, Java Integration, and his work on JEE deployment tools for Ruby on Rails like Warbler.

Rustan Leino and Mike Barnett on Spec#

Rustan Leino and Mike Barnett of Microsoft Research discuss the technology in Spec# and its futures.

10 Ways to Screw Up with Scrum and XP

Henrik Kniberg talks about 10 possible reasons to fail while doing Scrum and XP. Maybe the team does not have a definition of what Done means to them, or they don't know what their velocity is.