SlideShare a Scribd company logo

Automated code audits

Damien Seguy
Damien Seguy

Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.

Technology
1 of 25
Download to read offline
Automatic code audits Rotterdam, Nederland, October 9th 010PHP
Definition A kind of code analysis where the code is reviewed without running it. Just like we would do ourselves!
Who is speaking? Damien Seguy CTO at exakat Phather of the plush toy elePHPant Back from China Stepping up automated code audit services
Internals Code AST Analyze Report
<?php! function x($a) { return $a; } x(1, 2); ?>
Found Dead code Undefined structures Unused structures Illogical exp. Slow code Bad practices Unsafe code Maintainability Bug issue Ancient style Uninitialized vars Taint propagation
<?php switch ($this->consume()) { case "x09": case "x0A": case "x0B": case "x0B": case "x0C": case "x20": case "x3C": case "x26": case false: break; case "x23": switch ($this->consume()) { case "x78": case "x58": $range = '0123456789ABCDEFabcdef'; $hex = true; break; } }{ ?>
protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }
Spot bugs early Code Test PreProd Production Run it at commit Run it as audit
Static audit vs Unit test No running 100% of the code Symbolic testing Little configuration Has false positive Mostly internal Needs dedicated servers Will only scan a part Test only provided data Write scenario Has false negative Can be handed to users
When does it help Help port to a new system Search for weak code fragments Audit external libraries Hint at refactoring
Report Bugs Useless code Suggestions
Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !
Useless code <?php! ! // inside a legit class $this->module->xmlRequest; $_G['setting']['debug']; $post['usesig'] ? ($_G['setting']['sigviewcond'] ? (strlen($post['message']) > $_G['setting']['sigviewcond'] ?! ! ! ! ! $post['signature'] : '') ! ! ! ! ! ! : $post['signature']) : ''; ?> !
Suggestions <?php ! // Nested ternary should be turned into if then structures $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)) // Multiply by one is useless SetCache($prefix, $key, $row, 60*60*1); // Portable syntax $bits = split('.', $string); $y = $bits[0]; ! // Modern syntax $y = split('.', $string)[0]; ?> !
Where it doesn’t help Unit tests Architecture Old traditions that won’t change Semantic errors
Architecture No framework context Conception is done before coding Of course! Static audit will report standards, not norms
Old traditions <?php $pna = explode(')(', $pn); while (list($k, $v) = each($pna)) { $lst = explode('"', $v); if (isset($lst[3])) { $pn[$lst[1]] = $lst[3]; } else { $pn[$lst[1]] = ''; } } ?> 10 % of current applications uses this instead of foreach()
Semantic errors <?php $babycarriage = new carriage(); $wheel1 = new Racingwheel(); $wheel2 = new Racingwheel(); $wheel3 = new Racingwheel(); $wheel4 = new Rhinoceros(); $babycarriage->installWheels($wheel1, # # # # # # # # # # # # # $wheel2, # # # # # # # # # # # $wheel3, # # # # # # # # # # # $wheel4); ?> Undefined classes : Vehicle, Racingwheel, Rhinoceros
Semantic errors
Available analyzers PHP code sniffer PHP MD Scrutinizer-ci Fortify insight from Sensio
damien.seguy@ gmail.com http://www.slideshare.net/ dseguy
THE END http://010php.nl/ http://www.meetup.com/010PHP/

Recommended

PHPSpec BDD Framework
PHPSpec BDD FrameworkPHPSpec BDD Framework
PHPSpec BDD Framework
Marcello Duarte
 
The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)
Michiel Rook
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
chartjes
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnitJace Ju
 
Testing in Laravel
Testing in LaravelTesting in Laravel
Testing in Laravel
Ahmed Yahia
 
Getting Testy With Perl6
Getting Testy With Perl6Getting Testy With Perl6
Getting Testy With Perl6
Workhorse Computing
 

Recommended

PHPSpec BDD Framework
PHPSpec BDD FrameworkPHPSpec BDD Framework
PHPSpec BDD Framework
Marcello Duarte
 
The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)
Michiel Rook
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
chartjes
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnitJace Ju
 
Testing in Laravel
Testing in LaravelTesting in Laravel
Testing in Laravel
Ahmed Yahia
 
Getting Testy With Perl6
Getting Testy With Perl6Getting Testy With Perl6
Getting Testy With Perl6
Workhorse Computing
 
Practical Ext JS Debugging
Practical Ext JS DebuggingPractical Ext JS Debugging
Practical Ext JS Debugging
Shea Frederick
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
n|u - The Open Security Community
 
Debugging Your Ext JS Code
Debugging Your Ext JS CodeDebugging Your Ext JS Code
Debugging Your Ext JS Code
Sencha
 
PhpUnit Best Practices
PhpUnit Best PracticesPhpUnit Best Practices
PhpUnit Best Practices
Edorian
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam
 
Testing JavaScript Applications
Testing JavaScript ApplicationsTesting JavaScript Applications
Testing JavaScript Applications
The Rolling Scopes
 
Rails is not just Ruby
Rails is not just RubyRails is not just Ruby
Rails is not just Ruby
Marco Otte-Witte
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
Michelangelo van Dam
 
Jasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishyJasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishy
Igor Napierala
 
Testing Code and Assuring Quality
Testing Code and Assuring QualityTesting Code and Assuring Quality
Testing Code and Assuring Quality
Kent Cowgill
 
RSpec
RSpecRSpec
RSpec
Marco Otte-Witte
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
Jeffrey Kemp
 
Excellent
ExcellentExcellent
Excellent
Marco Otte-Witte
 
PHPUnit best practices presentation
PHPUnit best practices presentationPHPUnit best practices presentation
PHPUnit best practices presentation
Thanh Robi
 
Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6
Visual Engineering
 
Unit testing with mocha
Unit testing with mochaUnit testing with mocha
Unit testing with mocha
Revath S Kumar
 
Unit Testing in SilverStripe
Unit Testing in SilverStripeUnit Testing in SilverStripe
Unit Testing in SilverStripe
Ingo Schommer
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle VersionsJeffrey Kemp
 
Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept
som | smart online marketing
 
Tips & tools for (starting) sourcers
Tips & tools for (starting) sourcersTips & tools for (starting) sourcers
Tips & tools for (starting) sourcers
René Bolier
 

More Related Content

What's hot

Practical Ext JS Debugging
Practical Ext JS DebuggingPractical Ext JS Debugging
Practical Ext JS Debugging
Shea Frederick
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
n|u - The Open Security Community
 
Debugging Your Ext JS Code
Debugging Your Ext JS CodeDebugging Your Ext JS Code
Debugging Your Ext JS Code
Sencha
 
PhpUnit Best Practices
PhpUnit Best PracticesPhpUnit Best Practices
PhpUnit Best Practices
Edorian
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam
 
Testing JavaScript Applications
Testing JavaScript ApplicationsTesting JavaScript Applications
Testing JavaScript Applications
The Rolling Scopes
 
Rails is not just Ruby
Rails is not just RubyRails is not just Ruby
Rails is not just Ruby
Marco Otte-Witte
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
Michelangelo van Dam
 
Jasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishyJasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishy
Igor Napierala
 
Testing Code and Assuring Quality
Testing Code and Assuring QualityTesting Code and Assuring Quality
Testing Code and Assuring Quality
Kent Cowgill
 
RSpec
RSpecRSpec
RSpec
Marco Otte-Witte
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
Jeffrey Kemp
 
Excellent
ExcellentExcellent
Excellent
Marco Otte-Witte
 
PHPUnit best practices presentation
PHPUnit best practices presentationPHPUnit best practices presentation
PHPUnit best practices presentation
Thanh Robi
 
Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6
Visual Engineering
 
Unit testing with mocha
Unit testing with mochaUnit testing with mocha
Unit testing with mocha
Revath S Kumar
 
Unit Testing in SilverStripe
Unit Testing in SilverStripeUnit Testing in SilverStripe
Unit Testing in SilverStripe
Ingo Schommer
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle VersionsJeffrey Kemp
 

What's hot (20)

Practical Ext JS Debugging
Practical Ext JS DebuggingPractical Ext JS Debugging
Practical Ext JS Debugging
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Debugging Your Ext JS Code
Debugging Your Ext JS CodeDebugging Your Ext JS Code
Debugging Your Ext JS Code
 
PhpUnit Best Practices
PhpUnit Best PracticesPhpUnit Best Practices
PhpUnit Best Practices
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
 
Testing JavaScript Applications
Testing JavaScript ApplicationsTesting JavaScript Applications
Testing JavaScript Applications
 
Rails is not just Ruby
Rails is not just RubyRails is not just Ruby
Rails is not just Ruby
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
 
Jasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishyJasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishy
 
Testing Code and Assuring Quality
Testing Code and Assuring QualityTesting Code and Assuring Quality
Testing Code and Assuring Quality
 
RSpec
RSpecRSpec
RSpec
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
 
Excellent
ExcellentExcellent
Excellent
 
PHPUnit best practices presentation
PHPUnit best practices presentationPHPUnit best practices presentation
PHPUnit best practices presentation
 
Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6
 
Unit testing with mocha
Unit testing with mochaUnit testing with mocha
Unit testing with mocha
 
Unit Testing in SilverStripe
Unit Testing in SilverStripeUnit Testing in SilverStripe
Unit Testing in SilverStripe
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle Versions
 

Viewers also liked

Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept
som | smart online marketing
 
Tips & tools for (starting) sourcers
Tips & tools for (starting) sourcersTips & tools for (starting) sourcers
Tips & tools for (starting) sourcers
René Bolier
 
Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013
Effectory
 
20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem
Trigger - social media marketing & training
 
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & IntermediairBeste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
Effectory
 
Girls of Promise-Schedule B
Girls of Promise-Schedule BGirls of Promise-Schedule B
Girls of Promise-Schedule B
Women's Foundation of Arkansas
 
130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet
som | smart online marketing
 
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburgOntwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
som | smart online marketing
 
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha ReedijkMobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015
 
Tradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman MaesTradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman Maes
Herman Maes
 
Online Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met CanicasOnline Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met Canicas
som | smart online marketing
 
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo QuaintanceMobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015
 
Ian walden - data protection in cloud computing
Ian walden - data protection in cloud computingIan walden - data protection in cloud computing
Ian walden - data protection in cloud computingoiisdp
 
090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare
som | smart online marketing
 
140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth
som | smart online marketing
 
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel KalseMobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
som | smart online marketing
 
introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014 introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014
Trigger - social media marketing & training
 

Viewers also liked (19)

Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept
 
Tips & tools for (starting) sourcers
Tips & tools for (starting) sourcersTips & tools for (starting) sourcers
Tips & tools for (starting) sourcers
 
Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013
 
20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem
 
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & IntermediairBeste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
 
Girls of Promise-Schedule B
Girls of Promise-Schedule BGirls of Promise-Schedule B
Girls of Promise-Schedule B
 
130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet
 
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburgOntwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
 
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha ReedijkMobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
 
Tradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman MaesTradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman Maes
 
Online Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met CanicasOnline Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met Canicas
 
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo QuaintanceMobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
 
Ian walden - data protection in cloud computing
Ian walden - data protection in cloud computingIan walden - data protection in cloud computing
Ian walden - data protection in cloud computing
 
090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare
 
140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth
 
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel KalseMobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
 
introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014 introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014
 

Similar to Automated code audits

Automated code audits
Automated code auditsAutomated code audits
Automated code audits
exakat
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
Damien Seguy
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
Ayesh Karunaratne
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
Michelangelo van Dam
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
dantleech
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
Jagat Kothari
 
Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017
Damien Seguy
 
Unit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBeneluxUnit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
99% is not enough
99% is not enough99% is not enough
99% is not enough
tech.kartenmacherei
 
Clear php reference
Clear php referenceClear php reference
Clear php reference
Damien Seguy
 
Review unknown code with static analysis
Review unknown code with static analysisReview unknown code with static analysis
Review unknown code with static analysis
Damien Seguy
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
Damien Seguy
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfast
Michelangelo van Dam
 
PHPSpec BDD for PHP
PHPSpec BDD for PHPPHPSpec BDD for PHP
PHPSpec BDD for PHP
Marcello Duarte
 
Api Design
Api DesignApi Design
Api Design
sumithra jonnalagadda
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node js
Francois Zaninotto
 
Automated Frontend Testing
Automated Frontend TestingAutomated Frontend Testing
Automated Frontend Testing
Neil Crosby
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018
Damien Seguy
 

Similar to Automated code audits (20)

Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
 
Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017
 
Unit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBeneluxUnit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBenelux
 
99% is not enough
99% is not enough99% is not enough
99% is not enough
 
Clear php reference
Clear php referenceClear php reference
Clear php reference
 
Review unknown code with static analysis
Review unknown code with static analysisReview unknown code with static analysis
Review unknown code with static analysis
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfast
 
PHPSpec BDD for PHP
PHPSpec BDD for PHPPHPSpec BDD for PHP
PHPSpec BDD for PHP
 
Api Design
Api DesignApi Design
Api Design
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node js
 
Automated Frontend Testing
Automated Frontend TestingAutomated Frontend Testing
Automated Frontend Testing
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018
 

More from Damien Seguy

Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leeds
Damien Seguy
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
Damien Seguy
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le code
Damien Seguy
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applications
Damien Seguy
 
Top 10 pieges php afup limoges
Top 10 pieges php afup limogesTop 10 pieges php afup limoges
Top 10 pieges php afup limoges
Damien Seguy
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
Damien Seguy
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)
Damien Seguy
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4
Damien Seguy
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
Damien Seguy
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic traps
Damien Seguy
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappes
Damien Seguy
 
Code review workshop
Code review workshopCode review workshop
Code review workshop
Damien Seguy
 
Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018
Damien Seguy
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3
Damien Seguy
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)
Damien Seguy
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFC
Damien Seguy
 
Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018
Damien Seguy
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy people
Damien Seguy
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
Damien Seguy
 
Machine learning in php las vegas
Machine learning in php las vegasMachine learning in php las vegas
Machine learning in php las vegas
Damien Seguy
 

More from Damien Seguy (20)

Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leeds
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le code
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applications
 
Top 10 pieges php afup limoges
Top 10 pieges php afup limogesTop 10 pieges php afup limoges
Top 10 pieges php afup limoges
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic traps
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappes
 
Code review workshop
Code review workshopCode review workshop
Code review workshop
 
Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFC
 
Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy people
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
 
Machine learning in php las vegas
Machine learning in php las vegasMachine learning in php las vegas
Machine learning in php las vegas
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 

Automated code audits

  • 1. Automatic code audits Rotterdam, Nederland, October 9th 010PHP
  • 2. Definition A kind of code analysis where the code is reviewed without running it. Just like we would do ourselves!
  • 3. Who is speaking? Damien Seguy CTO at exakat Phather of the plush toy elePHPant Back from China Stepping up automated code audit services
  • 4.
  • 5. Internals Code AST Analyze Report
  • 6.
  • 7. <?php! function x($a) { return $a; } x(1, 2); ?>
  • 8. Found Dead code Undefined structures Unused structures Illogical exp. Slow code Bad practices Unsafe code Maintainability Bug issue Ancient style Uninitialized vars Taint propagation
  • 9. <?php switch ($this->consume()) { case "x09": case "x0A": case "x0B": case "x0B": case "x0C": case "x20": case "x3C": case "x26": case false: break; case "x23": switch ($this->consume()) { case "x78": case "x58": $range = '0123456789ABCDEFabcdef'; $hex = true; break; } }{ ?>
  • 10. protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }
  • 11. Spot bugs early Code Test PreProd Production Run it at commit Run it as audit
  • 12. Static audit vs Unit test No running 100% of the code Symbolic testing Little configuration Has false positive Mostly internal Needs dedicated servers Will only scan a part Test only provided data Write scenario Has false negative Can be handed to users
  • 13. When does it help Help port to a new system Search for weak code fragments Audit external libraries Hint at refactoring
  • 14. Report Bugs Useless code Suggestions
  • 15. Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !
  • 16. Useless code <?php! ! // inside a legit class $this->module->xmlRequest; $_G['setting']['debug']; $post['usesig'] ? ($_G['setting']['sigviewcond'] ? (strlen($post['message']) > $_G['setting']['sigviewcond'] ?! ! ! ! ! $post['signature'] : '') ! ! ! ! ! ! : $post['signature']) : ''; ?> !
  • 17. Suggestions <?php ! // Nested ternary should be turned into if then structures $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)) // Multiply by one is useless SetCache($prefix, $key, $row, 60*60*1); // Portable syntax $bits = split('.', $string); $y = $bits[0]; ! // Modern syntax $y = split('.', $string)[0]; ?> !
  • 18. Where it doesn’t help Unit tests Architecture Old traditions that won’t change Semantic errors
  • 19. Architecture No framework context Conception is done before coding Of course! Static audit will report standards, not norms
  • 20. Old traditions <?php $pna = explode(')(', $pn); while (list($k, $v) = each($pna)) { $lst = explode('"', $v); if (isset($lst[3])) { $pn[$lst[1]] = $lst[3]; } else { $pn[$lst[1]] = ''; } } ?> 10 % of current applications uses this instead of foreach()
  • 21. Semantic errors <?php $babycarriage = new carriage(); $wheel1 = new Racingwheel(); $wheel2 = new Racingwheel(); $wheel3 = new Racingwheel(); $wheel4 = new Rhinoceros(); $babycarriage->installWheels($wheel1, # # # # # # # # # # # # # $wheel2, # # # # # # # # # # # $wheel3, # # # # # # # # # # # $wheel4); ?> Undefined classes : Vehicle, Racingwheel, Rhinoceros
  • 23. Available analyzers PHP code sniffer PHP MD Scrutinizer-ci Fortify insight from Sensio
  • 25. THE END http://010php.nl/ http://www.meetup.com/010PHP/