#113 - SAST Security (with John Steven)

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb

Chapters:

• 00:00 Introduction
• 02:51 Source Code Analyzers
• 04:22 The three bears of Static Analysis
• 06:01 Do Linters work Better?
• 08:00 The Value of Full Programming Analysis Tools over Linters
• 11:30 The Impact of a Developer's Analysis on a Developer Environment
• 13:05 SAST Testing
• 15:47 OWASP Benchmarking
• 19:13 The First Static Analysis Tools
• 20:53 Can you break up that worry about Automated Testing?
• 22:44 Using Static Analysis for Defect Discovery
• 24:18 Using Static Analysis to Improve Web Security
• 31:37 Using Static Analysis to Drive Cloud Security
• 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
• 34:55 Using Static Analysis to Build a Vulnerability Management Practice
• 37:35 Can you use Static Analysis to Find Insider Threat?