Sunday 2:30 p.m.–3 p.m. in Room 26A/B/C

Types, Deeper Static Analysis, and you

Pieter Hooimeijer


Many projects already take advantage of static analysis tools like flake8, PyLint, and MyPy. Can we do better? In this talk, I'll discuss how to take a type checker, bolt on an interprocedural static analyzer, and delight your security team with high quality results. Abstract It is incredibly challenging to build a halfway decent static analysis tool for a dynamic language like Python. Fortunately, it gets quite a bit easier with Python type annotations. To explain why, I'll present a tool that finds security vulnerabilities by tracking dangerous flows of information interprocedurally across an entire codebase. **Then,** I'll demonstrate how that tool is really just a slightly slower, more sophisticated, type checker.