SAST - Static Analysis integration lab

When (day):
9th - Tuesday
At:
10:30 - 12:00
Watch
Zoom link will be available very soon



Session Video

Notable logs from the chat during the session

11:41:40 From Shivani : OWASP ZAP
11:42:16 From Shivani : SonarQube
11:42:33 From Shivani : it’s a open source tool
11:43:16 From Vishwanath Deshpande : is CodeReview is part of SAST
11:52:04 From Shivani : For SAST how much Programing Knowledge we need?
12:13:38 From Shivani : can we Integrate that SAST tool with CICD ?
12:13:53 From Shivani : and automate the process
12:14:56 From Dharam Patel : The Only issue can see is if you have multi language project how you will cover in SAST 12:16:31 From John : SonarQube supports multiple languages, and is capable of scanning in a change-aware fashion - ie only changes in a PR for example
12:17:19 From Raghav Rao : A developer runs the CI/CD pipelines, won’t he/she has choice not to run security tools or pipeline? 12:17:49 From Didar Gelici To Imran Mohammed(privately) : etsy
12:17:52 From Didar Gelici To Imran Mohammed(privately) : netflix
12:18:22 From Didar Gelici To Imran Mohammed(privately) : presentations or videos that you suggested.
12:19:17 From ender : SonarQube Community version doesn’t look for injection findings. But still good if you’ve just started on this journey. After some experiment, you would want to use SQ Developer Edition
12:19:56 From Didar Gelici : good tips guys
12:28:41 From Vinod : https://github.com/spotbugs/sonar-findbugs
12:28:52 From Vinod : https://github.com/find-sec-bugs/find-sec-bugs
12:54:13 From Imran Mohammed : semgrep

About this talk:

Lab attendance is first come first served for 30 people due to platform restrictions. Later participants can still join and watch as a demo.