Peter Winter-Smith, an offensive tool developer, will be presenting at hack::soho in February.
Peter has been working on the wSAST (wienerSAST) project for the past four years – with the long term goal of creating a framework which is capable of providing cheap (currently free), community supported, reusable modern multi-language static analysis which is easily extensible and be integrated into any consultants toolset for code review and appsec delivery.
It is a consultant-focused SAST framework which is capable of performing full end-to-end source to sink dataflow analysis. It is designed to support multiple languages by converting code written in any oriented/procedural language into an intermediate WSIL language which is then analysed and over which execution can be simulated. At the moment only Java support is completed, but C and C++ support is mostly completed.
wSAST allows common sources and sinks to be added for any framework via an XML-based Common Rules Engine plugin; this plugin supports function, variable and data-based sources and sinks, and annotation-based sources to be expressed as XML. More convoluted sources and sinks can be written in .NET and exposed to wSAST as plugins which enable more intricate, multi-step, sources and sinks to be composed.
HACK::SOHO is a monthly event hosted at our London, UK office for the cybersecurity and hacking community to discuss all things security over food and refreshments.