Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?
The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?
This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algortihms.
On a technical level, the followingconcepts are covered
– covert data flow
– deep call stacks
– circular calls
– source mining
– data hubs
– taint laundering
Based on this, I will provide some code snippets as proof of concept for the audience to test at home.
This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.