Welcome to the 6th episode of our Security Culture Campaign! On today’s show Matt Konda talks Static Analysis.

There are a lot of static analysis tools out there. The simplest might be eslint , for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find.

We recommend:

1. Using a linter locally in your code editor if applicable - but only if applicable
2. Using a static analysis tool in your CI/CD pipeline - if it finds useful things
3. Assuming you may need to spend time tuning the tool to get the results you want
4. Start with free tools and build the process and habit, then consider using commercial tools
5. Augment static analysis with code review
6. Consider an assisted code review strategy

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.