hack::soho | Introducing wSAST - Code Analysis Framework for Consultants

Peter Winter-Smith, MDSec Consulting Ltd., will be presenting at hack::soho in February.

Peter has been working on the wSAST (wienerSAST) project for the past four years - with the long term goal of creating a framework which is capable of providing cheap (currently free), community supported, reusable modern multi-language static analysis which is easily extensible and be integrated into any consultants toolset for code review and appsec delivery.

It is a consultant-focused SAST framework which is capable of performing full end-to-end source to sink dataflow analysis. It is designed to support multiple languages by converting code written in any oriented/procedural language into an intermediate WSIL language which is then analysed and over which execution can be simulated. At the moment only Java support is completed, but C and C++ support is mostly completed.

wSAST allows common sources and sinks to be added for any framework via an XML-based Common Rules Engine plugin; this plugin supports function, variable and data-based sources and sinks, and annotation-based sources to be expressed as XML. More convoluted sources and sinks can be written in .NET and exposed to wSAST as plugins which enable more intricate, multi-step, sources and sinks to be composed.

HACK::SOHO is a monthly event hosted at our London, UK office for the cybersecurity and hacking community to discuss all things security over food and refreshments.

We hope you can join us,

IOActive team