#113 - SAST Security (with John Steven)

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.     Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb Chapters: 00:00 Introduction 02:51 Source Code Analyzers 04:22 The three bears of Static Analysis 06:01 Do Linters work Better? 08:00 The Value of Full Programming Analysis Tools over Linters 11:30 The Impact of a Developer's Analysis on a Developer Environment 13:05 SAST Testing 15:47 OWASP Benchmarking 19:13 The First Static Analysis Tools 20:53 Can you break up that worry about Automated Testing? 22:44 Using Static Analysis for Defect Discovery 24:18 Using Static Analysis to Improve Web Security 31:37 Using Static Analysis to Drive Cloud Security 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool 34:55 Using Static Analysis to Build a Vulnerability Management Practice 37:35 Can you use Static Analysis to Find Insider Threat?