Static Application Security Testing uses static code analysis to automatically detect security vulnerabilities. Designing and implementing a successful SAST tool requires a firm grasp of mathematics, data structures and algorithms, which is why to many people this kind of technology appears to be black magic. In this tutorial I will demystify static analysis, explaining the most important concepts that make it work. I will also point out some advanced fields of research that interested attendees can read up on in their own time.

Eric Bodden is one of the leading experts on secure software engineering, with a specialty in building highly precise tools for automated program analysis. He is Professor for Software Engineering at Paderborn University and co-director of Fraunhofer IEM. Further, he is a member of the directorate of the Collaborative Research Center CROSSING at TU Darmstadt.

At Fraunhofer IEM, Bodden is heading the Attract-Group on Secure Software Engineering. In this function he is developing code analysis technology for security, in collaboration with the leading national and international software development companies. In 2014, the DFG awarded Bodden the Heinz Maier-Leibnitz-Preis. In 2013, BITKOM elected him into their mentoring program BITKOM Management Club.

Bodden is one of the chief maintainers of the Soot program analysis and optimization framework, a contributor to the AspectBench Compiler, the open research compiler for AspectJ, the inventor of the Clara and TamiFlex frameworks. Together with his research group, he has created the FlowDroid analysis framework for Android and the DroidBench benchmark suite.