Kevin Hock

Kevin is a security engineer interested in static analysis and Python.

Speaker home page

Finding Vulnerabilities for Free: The Magic of Static Analysis

DevOps & Automation, Intermediate
8/18/2018 | 1:30 PM-2:00 PM | Robertson


Are you a website or application developer? Interested about security or compilers?

In this talk we will walk through how to automatically find vulnerabilities in web applications with static analysis. Most of what will be presented here is based on a tool called PyT already open-source on GitHub. This talk will lightly cover topics such as web application security and data-flow analysis.


Many vulnerability classes in web applications share the same pattern of something coming from a 'source' (HTTP request) and eventually getting put in a 'sink' (SQL query), through the power of data-flow analysis, we can easily find them. This talk will walk through the architecture, techniques and past evaluations of an open-source security static analysis tool available at at We will also talk about alternative approaches and more advanced techniques for reducing false-positives.