OWASP Lisboa - May 2024 Chapter Meetup
Join us for the 7th OWASP Lisboa meetup!
Location: R. Castilho 77 · Lisboa
Harnessing Reachability Analysis to Discern Real Threats in Software Dependencies
In this talk, we will dive into the shortcomings of traditional dependency analysis methods, which usually focus on looking at build manifests and metadata, to spot security or performance vulnerabilities in Java projects. While tools like Maven Dependency Checker and Gradle's dependency-analysis plugin are invaluable for their ability to manage dependencies, they often fall short when we need quick and precise answers, forcing developers to lean on time-consuming tests and manual code reviews. We believe that a thorough look at how dependencies are actually used in the code—with the help of static and reachability analyses—can be a more effective way to pinpoint real threats in Java dependencies.
We'll use real-world examples to show how static analysis, and in particular reachability analysis, offers deeper insights into potential vulnerabilities by moving beyond simple metadata. By sharing examples where static analysis has been a game-changer, and pointing out where it might not be enough, we aim to shed light on the challenges and opportunities this method brings to improving security and performance in software projects.
Our goal is to provide attendees with practical strategies for using static and reachability analyses, promoting a more detailed method for managing dependencies and finding vulnerabilities in software applications.
Want to stay in the loop?
Sign up for our newsletter.
