OWASP AppSec DC 2012/Teaching an Old Dog New Tricks Securing Development withPMD

The Presentation
With the recent rise in high-profile corporate web application attacks, many organizations have made it a priority to build security into their internal software development lifecycle. Using static analysis to identify software security bugs is a common element in virtually all software security programs. While there are numerous commercial static analysis products that focus on security, they often involve high price tags, complex/unreasonable licensing models, steep learning curves, and can be cumbersome to integrate with existing processes. Luckily, using static analysis to identify software bugs is not a new paradigm. For years, developers have used static analysis tools to identifying code quality issues. While these tools may not be specifically designed for identifying security bugs, in many cases their underlying analysis engine can be adapted to do so with custom rules. This presentation will discuss how custom security rules can be added to existing code quality tools to identify potential software security bugs. In many cases, developers are already familiar with these tools and run them during development on a regular basis. Armed with security rulesets, the tools can also be valuable to security code auditors and penetration testers. Writing custom software security rules for the popular Java code scanning tool PMD will be the focus of the presentation.