SAST on Rewind: Moving from Pattern-Matching to Contextual Security in the Age of AI

Transcript

1. SAST on Rewind: Moving from Pattern‑Matching to Contextual Security in

   the Age of AI Austin OWASP - June 2025

2. Who Am I

3. Who Am I CEO & Co‑Founder, DryRun Security

4. Who Am I CEO & Co‑Founder, DryRun Security Formerly Signal

   Sciences, Verica, National Instruments, Mentor Graphics

5. Who Am I CEO & Co‑Founder, DryRun Security Formerly Signal

   Sciences, Verica, National Instruments, Mentor Graphics Started LASCON & 2007-2010 OWASP Austin Chapter Leader

6. The Moment We’re In

7. The Moment We’re In AI assistants now appear in every

   IDE

8. The Moment We’re In AI assistants now appear in every

   IDE Code volume ↑, code velocity ↑, review minutes ↓

9. The Moment We’re In AI assistants now appear in every

   IDE Code volume ↑, code velocity ↑, review minutes ↓ Legacy SAST dis-trust at all‑time high

10. The Moment We’re In AI assistants now appear in every

    IDE Code volume ↑, code velocity ↑, review minutes ↓ Legacy SAST dis-trust at all‑time high Breaches increasingly logic‑driven

11. Roadmap for the Next 40  Minutes

12. Roadmap for the Next 40  Minutes 1. Why Pattern Matching

    Isn’t Working in the AI Era

13. Roadmap for the Next 40  Minutes 1. Why Pattern Matching

    Isn’t Working in the AI Era 2. Why Probabilistic Scanning Beats Deterministic Scanning

14. Roadmap for the Next 40  Minutes 1. Why Pattern Matching

    Isn’t Working in the AI Era 2. Why Probabilistic Scanning Beats Deterministic Scanning 3. Contextual Security Analysis (SLIDE v1.1)

15. Roadmap for the Next 40  Minutes 1. Why Pattern Matching

    Isn’t Working in the AI Era 2. Why Probabilistic Scanning Beats Deterministic Scanning 3. Contextual Security Analysis (SLIDE v1.1) 4. 2025 SAST Accuracy Report

16. Roadmap for the Next 40  Minutes 1. Why Pattern Matching

    Isn’t Working in the AI Era 2. Why Probabilistic Scanning Beats Deterministic Scanning 3. Contextual Security Analysis (SLIDE v1.1) 4. 2025 SAST Accuracy Report 5. AI‑Readiness Roadmap for AppSec Teams

17. Section 1 - Why Pattern Matching Isn’t Working in the

    AI Era
18. None

19. ! AI‑Assisted Development

20. ! AI‑Assisted Development Copilot, Cursor, Windsurf accelerate commit tempo

21. ! AI‑Assisted Development Copilot, Cursor, Windsurf accelerate commit tempo More

    code paths, repos, & fewer human keystrokes

22. ! AI‑Assisted Development Copilot, Cursor, Windsurf accelerate commit tempo More

    code paths, repos, & fewer human keystrokes Early days of 24/7 coding agents generating pull requests unattended

23. Less Simple Security Bugs

24. Less Simple Security Bugs LLM autocomplete fixes common syntax errors

25. Less Simple Security Bugs LLM autocomplete fixes common syntax errors

    Linters now embedded in editors

26. Less Simple Security Bugs LLM autocomplete fixes common syntax errors

    Linters now embedded in editors If there's a public rule for a security issue, it can/will be learned

27. Less Simple Security Bugs LLM autocomplete fixes common syntax errors

    Linters now embedded in editors If there's a public rule for a security issue, it can/will be learned Pattern‑matchable flaws decline

28. Where this is now, and where it is going

29. If security fits in a rule, AI will learn it.

30. AI agents will be able to refactor to pass CI

    checks.

31. Bad Patterns ≠ Unknown Patterns

32. Bad Patterns ≠ Unknown Patterns Regexes see syntax, not intent

33. Bad Patterns ≠ Unknown Patterns Regexes see syntax, not intent

    Unknown ≈ logic that never existed before

34. Bad Patterns ≠ Unknown Patterns Regexes see syntax, not intent

    Unknown ≈ logic that never existed before Fund transfers, feature flags, auth, permissions, state logic

35. The AppSec Risk We Care About in 2025

36. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR)

37. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA)

38. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation

39. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic

40. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration)

41. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery)

42. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery) Mass Assignment

43. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery) Mass Assignment Workflow Abuse

44. IDOR: Insecure Direct Object Reference When “42” is all an

    attacker needs

45. What is IDOR?

46. What is IDOR? An access-control flaw: the app exposes an

    internal object ID and then trusts the caller is allowed to use it.

47. What is IDOR? An access-control flaw: the app exposes an

    internal object ID and then trusts the caller is allowed to use it. Typical pattern: /orders/42, /api/user?id=7, or a GraphQL node(id:"123").

48. What is IDOR? An access-control flaw: the app exposes an

    internal object ID and then trusts the caller is allowed to use it. Typical pattern: /orders/42, /api/user?id=7, or a GraphQL node(id:"123"). Lives under Broken Object-Level Authorization (BOLA) in the OWASP API Top 10.

49. Vulnerable Flask Endpoint @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id)

    # no ownership check return jsonify(order.to_dict())

50. Vulnerable Flask Endpoint @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id)

    # no ownership check return jsonify(order.to_dict()) The route authenticates the user but never checks the owner of the order.

51. Vulnerable Flask Endpoint @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id)

    # no ownership check return jsonify(order.to_dict()) The route authenticates the user but never checks the owner of the order. Sequential IDs (1, 2, 3 …) make the bug easy to find via fuzzing.

52. Exploitation in One Command # Logged in as Alice (user_id

    = 5) curl -b session=alice_cookie \ https://shop.local/orders/17 # 17 belongs to Bob

53. Exploitation in One Command # Logged in as Alice (user_id

    = 5) curl -b session=alice_cookie \ https://shop.local/orders/17 # 17 belongs to Bob Server happily returns Bob’s order JSON—violation of confidentiality.

54. Exploitation in One Command # Logged in as Alice (user_id

    = 5) curl -b session=alice_cookie \ https://shop.local/orders/17 # 17 belongs to Bob Server happily returns Bob’s order JSON—violation of confidentiality. Attack scales: enumerate /orders/1…1000 or script it with python requests.

55. Fixing IDOR/BOLA @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id) if

    order.user_id != current_user.id: # ownership check abort(403) return jsonify(order.to_dict())

56. Fixing IDOR/BOLA @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id) if

    order.user_id != current_user.id: # ownership check abort(403) return jsonify(order.to_dict()) Always perform an authorization gate after fetching the object.

57. Fixing IDOR/BOLA @app.route("/orders/<int:order_id>") @login_required def show(order_id): order = Order.query.get_or_404(order_id) if

    order.user_id != current_user.id: # ownership check abort(403) return jsonify(order.to_dict()) Always perform an authorization gate after fetching the object. Also, should swap numeric IDs for UUIDs plus the check

58. API‑First = Auth‑First

59. API‑First = Auth‑First Every endpoint is a door

60. API‑First = Auth‑First Every endpoint is a door Permission vs.

    Role vs. Key

61. API‑First = Auth‑First Every endpoint is a door Permission vs.

    Role vs. Key Regex is of limited use

62. SSRF – Server‑Side Request Forgery When your server becomes the

    attacker’s proxy

63. What is SSRF?

64. What is SSRF? The app lets users supply a URL

    or host, then the server fetches it on their behalf.

65. What is SSRF? The app lets users supply a URL

    or host, then the server fetches it on their behalf. Attackers point that request inside the perimeter (e.g. cloud metadata)

66. What is SSRF? The app lets users supply a URL

    or host, then the server fetches it on their behalf. Attackers point that request inside the perimeter (e.g. cloud metadata) OWASP ranks SSRF as a top‑10 risk because firewalls usually trust outbound traffic.

67. Vulnerable Flask Endpoint (Python) import requests from flask import Flask,

    request, jsonify app = Flask(__name__) @app.route("/fetch") def fetch(): url = request.args.get("url") # ! untrusted input data = requests.get(url, timeout=3).text return jsonify({"preview": data[:200]}) Bug: any visitor can make the server GET whatever URL they like.

68. Exploitation in One Command curl "https://owasp.org/fetch? url=http://169.254.169.254/ latest/meta-data/iam/security-credentials/"

69. Exploitation in One Command curl "https://owasp.org/fetch? url=http://169.254.169.254/ latest/meta-data/iam/security-credentials/" The server

    lives on AWS and reaches the instance metadata service, then leaks temporary credentials back to the attacker.

70. TL;DR SSRF exploits the gap between who asks and who

    fetches. Regex is hard for this.

71. Capital One 2019 Breach The attacker gained access to a

    set of AWS access keys by accessing the AWS EC2 metadata service via a SSRF vulnerability. There is evidence that the application that was targeted was behind a Web Application Firewall (ModSecurity) but either a bypass was used or the WAF was not configured to block attacks (logging mode). The keys essentially allowed the attacker to list and sync the S3 buckets to a local disk thereby providing access to all the data contained in them. source: https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital- one-breach-4c3c2cded3af

72. ! The Application Is The Target

73. ! The Application Is The Target Priv Escalation at Shopify

    https://www.appsecure.security/blog/shopify-bug-bounty- write-up-exploiting-access-controls

74. ! The Application Is The Target Priv Escalation at Shopify

    https://www.appsecure.security/blog/shopify-bug-bounty- write-up-exploiting-access-controls IDOR at Uber Eats https://0xprial.com/idor-leads-to-leak-any-uber-eats-restaurant- analytics/

75. ! The Application Is The Target Priv Escalation at Shopify

    https://www.appsecure.security/blog/shopify-bug-bounty- write-up-exploiting-access-controls IDOR at Uber Eats https://0xprial.com/idor-leads-to-leak-any-uber-eats-restaurant- analytics/ Data Leak via API at Peloton https://www.securitymagazine.com/articles/95146- pelotons-api-exposes-riders-private-data

76. ! The Application Is The Target Priv Escalation at Shopify

    https://www.appsecure.security/blog/shopify-bug-bounty- write-up-exploiting-access-controls IDOR at Uber Eats https://0xprial.com/idor-leads-to-leak-any-uber-eats-restaurant- analytics/ Data Leak via API at Peloton https://www.securitymagazine.com/articles/95146- pelotons-api-exposes-riders-private-data ...

77. The AppSec Risk We Care About in 2025

78. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR)

79. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA)

80. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation

81. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic

82. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration)

83. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery)

84. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery) Mass Assignment

85. The AppSec Risk We Care About in 2025 Insecure Direct

    Obj Ref (IDOR) Broken object‑level authorization (BOLA) Inconsistent tenant isolation Race‑condition logic ATO Primitives (e.g. Enumeration) SSRF (Server Side Req Forgery) Mass Assignment Workflow Abuse

86. ! Talking with your CISO

87. ! Talking with your CISO Customers report $100k–$500k annual bounty

    spend just on IDOR

88. ! Talking with your CISO Customers report $100k–$500k annual bounty

    spend just on IDOR Attackers monetize auth gaps faster than ever

89. ! Talking with your CISO Customers report $100k–$500k annual bounty

    spend just on IDOR Attackers monetize auth gaps faster than ever Variant analysis consumes resources

90. A Reasoning Model Prompt Example to Build Business Case "Provide

    real world breach reports of IDOR in the last five years with links."

91. Section 1 Takeaways

92. Section 1 Takeaways Pattern matching chases yesteryear’s bugs

93. Section 1 Takeaways Pattern matching chases yesteryear’s bugs AI code

    generation mutates patterns rapidly

94. Section 1 Takeaways Pattern matching chases yesteryear’s bugs AI code

    generation mutates patterns rapidly Logic & auth flaws now dominate breach reports

95. Section 1 Takeaways Pattern matching chases yesteryear’s bugs AI code

    generation mutates patterns rapidly Logic & auth flaws now dominate breach reports The smartest AppSec teams are dealing with this issue today

96. Section 2 - Why Probabilistic Scanning Beats Deterministic Scanning

97. ! Deterministic Scanning

98. ! Deterministic Scanning Hard‑coded rules / regexes

99. ! Deterministic Scanning Hard‑coded rules / regexes Binary: match or

    no match

100. ! Deterministic Scanning Hard‑coded rules / regexes Binary: match or

     no match Low recall on novel logic
101. None

102. Probabilistic Scanning 101

103. Probabilistic Scanning 101 Scores evidence, not strings

104. Probabilistic Scanning 101 Scores evidence, not strings Accepts uncertainty; gives

     confidence levels

105. Probabilistic Scanning 101 Scores evidence, not strings Accepts uncertainty; gives

     confidence levels Considers the environment the change occurs in

106. Probabilistic Scanning 101 Scores evidence, not strings Accepts uncertainty; gives

     confidence levels Considers the environment the change occurs in Code ➡ Context

107. Why Context Signals Matter?

108. Why Context Signals Matter? Who wrote the code?

109. Why Context Signals Matter? Who wrote the code? What does

     the app do?

110. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change?

111. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change? Why is this change happening now?

112. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change? Why is this change happening now? Why was the code change needed?

113. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change? Why is this change happening now? Why was the code change needed? When does this code normally change?

114. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change? Why is this change happening now? Why was the code change needed? When does this code normally change? Has this developer been here before?

115. Why Context Signals Matter? Who wrote the code? What does

     the app do? What is the purpose of the change? Why is this change happening now? Why was the code change needed? When does this code normally change? Has this developer been here before? Does the code change meet our policy?

116. Noise ➞ Signal

117. Noise ➞ Signal 80% alert reduction in repos

118. Noise ➞ Signal 80% alert reduction in repos Developers experience

     <10% false‑positive rate

119. Advantages

120. Advantages Learns project conventions

121. Advantages Learns project conventions Flags anomalies beyond regex reach

122. Advantages Learns project conventions Flags anomalies beyond regex reach Prioritizes

     risk, not line count

123. From Probability to Context

124. From Probability to Context Scoring is great

125. From Probability to Context Scoring is great Contextual reasoning is

     better

126. From Probability to Context Scoring is great Contextual reasoning is

     better Enter SLIDE 2.0 (next section)

127. Probabilistic Contextual Scanning 201

128. Probabilistic Contextual Scanning 201 Validation

129. Probabilistic Contextual Scanning 201 Validation Includes agentic code tool access

130. Probabilistic Contextual Scanning 201 Validation Includes agentic code tool access

     Policy ➡ Primitives

131. Section 2 Takeaways

132. Section 2 Takeaways Determinism can’t keep up with AI

133. Section 2 Takeaways Determinism can’t keep up with AI Probabilistic

     analysis surface novel flaws

134. Section 2 Takeaways Determinism can’t keep up with AI Probabilistic

     analysis surface novel flaws Context is the multiplier

135. Section 3 Contextual Security Analysis (SLIDE 1.1)

136. What Is CSA?

137. What Is CSA? Multi‑signal analysis across code, developer, design, and

     intent

138. What Is CSA? Multi‑signal analysis across code, developer, design, and

     intent Treats code review like incident response

139. SLIDE 1.1 Framework

140. SLIDE 1.1 Framework Surface & APIs

141. SLIDE 1.1 Framework Surface & APIs Language & Framework idioms

142. SLIDE 1.1 Framework Surface & APIs Language & Framework idioms

     Intent and Purpose

143. SLIDE 1.1 Framework Surface & APIs Language & Framework idioms

     Intent and Purpose Design & Audience

144. SLIDE 1.1 Framework Surface & APIs Language & Framework idioms

     Intent and Purpose Design & Audience Environment & deployment

145. S — Surface & APIs

146. S — Surface & APIs Routes, code paths

147. S — Surface & APIs Routes, code paths Service mesh,

     queues, DBs

148. S — Surface & APIs Routes, code paths Service mesh,

     queues, DBs Trust boundaries

149. S — Surface & APIs Routes, code paths Service mesh,

     queues, DBs Trust boundaries Data flow diagrams

150. L — Language

151. L — Language Read the docs... all the docs

152. L — Language Read the docs... all the docs For

     every subsequent version too

153. L — Language Read the docs... all the docs For

     every subsequent version too Framework oddities and workarounds

154. I — Intent & Purpose

155. I — Intent & Purpose Business purpose & user journeys

156. I — Intent & Purpose Business purpose & user journeys

     The functional intent of the change

157. D — Design

158. D — Design Architectural patterns & component interfaces

159. D — Design Architectural patterns & component interfaces Domain &

     trust boundaries

160. D — Design Architectural patterns & component interfaces Domain &

     trust boundaries Threat modeling lite

161. E — Environment

162. E — Environment Infra as code configs

163. E — Environment Infra as code configs Secrets, runtime policy

164. E — Environment Infra as code configs Secrets, runtime policy

     Type of app

165. Demo This pull request reveals multiple security vulnerabilities in the

     GraphQL server, including missing authorization checks, potential resource exhaustion risks, and unauthorized mutations that could allow attackers to manipulate server-side actions without proper authentication or input validation.

166. Section 3 Takeaways

167. Section 3 Takeaways SLIDE provides a mental map to CSA

168. Section 3 Takeaways SLIDE provides a mental map to CSA

     Design, Intent, Environment matters as much as code

169. Section 3 Takeaways SLIDE provides a mental map to CSA

     Design, Intent, Environment matters as much as code Contextual Security Analysis is crazy cool

170. Section 4 2025 SAST Accuracy Report

171. Why Another Report?

172. Why Another Report? Marketing claims ≠ reality

173. Why Another Report? Marketing claims ≠ reality All testing is

     public

174. How We Tested

175. How We Tested 26 intentional vulnerability samples across 4 languages

176. How We Tested 26 intentional vulnerability samples across 4 languages

     Python, C#, Ruby, Java

177. How We Tested 26 intentional vulnerability samples across 4 languages

     Python, C#, Ruby, Java All tools run in GitHub in full commercial mode

178. How We Tested 26 intentional vulnerability samples across 4 languages

     Python, C#, Ruby, Java All tools run in GitHub in full commercial mode No tuning of any tool

179. Tools Evaluated

180. Tools Evaluated Semgrep

181. Tools Evaluated Semgrep SonarQube

182. Tools Evaluated Semgrep SonarQube CodeQL

183. Tools Evaluated Semgrep SonarQube CodeQL Snyk Code

184. Tools Evaluated Semgrep SonarQube CodeQL Snyk Code DryRun Security

185. Vulnerability Themes

186. Vulnerability Themes Classic: SQLi, XSS, ...

187. Vulnerability Themes Classic: SQLi, XSS, ... Logic: IDOR, Authz, ...

188. Scoring Formula Accuracy = (True Positives − False Negatives) /

     Total Samples No special weighting for difficulty or logic flaws

189. Headline Results

190. Headline Results DryRun Security: 88% accuracy

191. Headline Results DryRun Security: 88% accuracy Next best: 46%

192. Demo

193. Surprising details

194. Surprising details Classic vs. logic split

195. Surprising details Classic vs. logic split No corrections submitted

196. Section 4 Takeaways https://www.dryrun.security/sast-accuracy-report

197. Section 4 Takeaways https://www.dryrun.security/sast-accuracy-report Accuracy isn’t just detection, it's trust

     across teams

198. Section 5 AI‑Readiness Roadmap for AppSec Teams

199. The AI Surge Will Accelerate

200. The AI Surge Will Accelerate More code, more unknowns

201. The AI Surge Will Accelerate More code, more unknowns Security

     teams must scale context, not headcount

202. The AI Surge Will Accelerate More code, more unknowns Security

     teams must scale context, not headcount AI checking AI adoption pattern

203. Automated Code Policy Enforcement

204. Automated Code Policy Enforcement API Endpoint Authorization

205. Automated Code Policy Enforcement API Endpoint Authorization "It feels like

     I've cloned my appsec engineer"

206. 30 / 60 / 90‑Day Plan

207. 30 / 60 / 90‑Day Plan 30: Know what matters

     (IDOR, Authz, ...)

208. 30 / 60 / 90‑Day Plan 30: Know what matters

     (IDOR, Authz, ...) 60: Evaluate SAST efficacy & Fill Gaps

209. 30 / 60 / 90‑Day Plan 30: Know what matters

     (IDOR, Authz, ...) 60: Evaluate SAST efficacy & Fill Gaps 90: Deliver AI-native Code Policy Enforcement

210. GPT-4 vs. Snyk https://www.youtube.com/watch?v=ATN2bJizTFE&t=6s

211. Bonus

212. ! Thought Experiments: CSA Beyond Code Reviews

213. ! Thought Experiments: CSA Beyond Code Reviews Context isn’t only

     for pull requests

214. SOC Operations

215. SOC Operations Surface for codepath to owner

216. SOC Operations Surface for codepath to owner Language ➡ Monitor

217. SOC Operations Surface for codepath to owner Language ➡ Monitor

     Environment labeling

218. SCA & SBOMs

219. SCA & SBOMs Weight patching recommendations on Environment & Design

220. ASPM Platforms

221. ASPM Platforms Intent focused

222. ASPM Platforms Intent focused Labeling and correlation across events

223. One Graph, Many Uses

224. One Graph, Many Uses CSA as a knowledge graph

225. One Graph, Many Uses CSA as a knowledge graph Code

     review, SOC, SCA, SBOM, ASPM all contribute

226. One Graph, Many Uses CSA as a knowledge graph Code

     review, SOC, SCA, SBOM, ASPM all contribute Less duplication, more signal

227. Section 5 Takeaways

228. Section 5 Takeaways AI code requires AI defense

229. Section 5 Takeaways AI code requires AI defense Automate policy

     enforcement

230. Section 5 Takeaways AI code requires AI defense Automate policy

     enforcement Have a plan

231. Key Takeaways

232. Key Takeaways Pattern matching ≠ enough

233. Key Takeaways Pattern matching ≠ enough Probabilistic + context =

     future

234. Key Takeaways Pattern matching ≠ enough Probabilistic + context =

     future CSA proves accuracy today

235. You get a PDF and You get a PDF

236. You get a PDF and You get a PDF Contextual

     Security Analysis Guide (free PDF)

237. You get a PDF and You get a PDF Contextual

     Security Analysis Guide (free PDF) 2025 SAST Accuracy Report (free PDF)

238. You get a PDF and You get a PDF Contextual

     Security Analysis Guide (free PDF) 2025 SAST Accuracy Report (free PDF) These slides (also a... PDF!)

239. You get a PDF and You get a PDF Contextual

     Security Analysis Guide (free PDF) 2025 SAST Accuracy Report (free PDF) These slides (also a... PDF!) Drop an email ➡ [email protected]