Steven Teilhet, head security researcher for IBM Security AppScan Source Edition, explains how rules are developed for the IBM Security AppScan Source static analysis tool; he details how this process works with Objective-C/C languages and the iOS framework; and he exposes a new class of vulnerability type you'll run into with these languages, the predicate injection. 8:33
In the second video, Teilhet explains the three easy steps to follow to perform your first iOS app scan with IBM Security AppScan:
- Add the Objective-C scan rule set.
- Add delegate markup.
- Resolve lost sinks. (A sink is the desired output for data trace; a lost sink is a node in which the trace stops because it doesn't know what to do with node code.)
For more on sinks and how AppScan Source trace works, see the blog entry and video "Static analysis defined in under five minutes." 10:16