Python Static Analysis

DerbyCon 7.0 - Legacy

Presented by: Spencer McIntyre
Date: Saturday September 23, 2017
Time: 12:00 - 12:25
Location: Stable Talks

Python is a popular language and that is true as well within the Security industry. This talk will outline how Python code can be statically analyzed using publicly available tools such as bandit. It will then take a more technical approach and outline how the abstract syntax tree (AST) can be processed and searched based on behavior clues to identify potential security issues. Many security tools search for vulnerabilities by analyzing the contents of static strings and examining their variable names. This alternative approach instead demonstrates how the AST can be analyzed to identify pieces of sensitive information such as encryption keys and passwords based on matching them with usage patterns.

This will be a technical talk focused on using automated techniques to find security vulnerabilities in Python projects. The audience will leave with an understanding of these techniques and how they can be applied to the projects they are either developing themselves or using in their daily routines. This talk will end with a live demonstration of a forked version of the public Bandit scanner where these techniques have been implemented.

Spencer McIntyre

As a member of the Research and Development team at SecureState, Spencer McIntyre works to discover vulnerabilities within organizations systems and understand the underlying risks. Mr. McIntyre balances his focus between vulnerability and in-house tool development. During his time with SecureState, Mr. McIntyre has worked with a variety of clients across multiple industries, giving him experience in how each secures their data and the threats that they encounter. Mr. McIntyre uses his background in software development to help him to understand and exploit the underlying logic in the software he encounters. He is active in the open source community, making multiple contributions to a variety of projects such as the Metasploit Framework. @zeroSteiner


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats