From the course: DevSecOps: Building a Secure Continuous Delivery Pipeline
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Static code analysis
From the course: DevSecOps: Building a Secure Continuous Delivery Pipeline
Static code analysis
- [Instructor] The last secure development practice is static code analysis. This is where you analyze code for vulnerabilities. This is commonly done using a static application security testing tool, or SAST. The tools are able to do testing without actually running the code, which is why it's called static code analysis. SAST tools use data flow models, control flow graphs, and taint analysis to determine whether there's a vulnerability in the code or not. There are a lot of options for static code analysis, but your choice of tool generally depends on the languages you're using. If you're looking for an open-source option for Ruby, there's be Brakeman. For PHP, there's Phan. For Java Web Apps, there's Find Security Bugs. Node has NodeJsScan. And Golang or Go has GoSec. I've included this resource in the course handout to help you find the right tool for your usage. There are also commercial options which span multiple languages and are more Enterprise friendly. A few to look at ar…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.