The role of program analysis in web security

Improving security in web applications remains a secondary concern for many software developers, who often overlook vital principles during the design and architecture phases. Often, security testing is outsourced to analysts post-development, potentially from external entities with limited familiarity with the codebase. As a result, these analysts rely heavily on intuition to detect vulnerabilities. This lecture aims to elucidate how program analysis techniques can facilitate the shift-left approach, integrating security testing into earlier stages of the software development lifecycle. By catching bugs sooner, developers can enhance software integrity. Drawing from our experiences at Oracle in crafting web security tools, we'll delve into our solutions for addressing prevalent challenges. Additionally, we'll examine ongoing hurdles based on user feedback, paving the way for future advancements in the development of secure web applications.