Nick Jones presented "Static Analysis for Code and Infrastructure" at DevSecCon 2016. His talk covered the theory behind a number of the techniques commonly used to analyze applications.
Many will likely have seen or used static analysis tools in the past, but they’re often poorly understood. This talk covers the theory behind a number of the techniques commonly used to analyze applications, including taint checking and analysis of control flow graphs and field initializations.
After covering the benefits and pitfalls that these techniques bring to the table, it then goes on to address how to best fit these tools into your development environment and infrastructure, demonstrate how to catch software bugs early in your development cycle and how analysis may be applied to infrastructure as code definitions.