The Web application development lifecycle has numerous security activities. For developers, code review is a familiar recurring activity. To support Java developers, a project was started in 2012 called, “Find Security Bugs” (FSB). It is an extension of the SpotBugs project, formerly known as FindBugs. FSB is a community static analysis tool which targets specific vulnerabilities. Over the years FSB has evolved from a limited tool to a solid coverage of bug patterns. It is now used in many large corporations to support automation. In this presentation, you will learn about its high-level internals and heuristics, its potential integration in developers’ IDE and in continuous integration environments. A selection of vulnerabilities found by the tool in popular applications, including Spring and Struts, will be explained. For each of these vulnerabilities, we will review the description of the affected component, the issue reported by the tool, the method to analyze the report and an overview of the potential risks. Along the way, you will learn a few tips on increasing your efficiency with the tool. After observing some real-world vulnerabilities, we will conclude with lessons learned from maintaining this open-source project for close to 8 years. Lessons learned will include some of the successes but also failures from the development initiatives.
