Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Selling Static Code Analysishow to start fast and finish strong
Darren Meyer
@dm914http://about.me/darrenpmeyer
Sep 13, 2011
OWASP 2
Overview
Convincing management Selling Process over Product Getting development team partnership Quick start Integrating with your SDLC Expanding your SSA program
OWASP 3
Convincing management
Frame the Problem
Define the Solution Space
Demonstrate Specific Fit
OWASP 4
Focus on Management concerns
Care about Cost Evidence of due care Proof of improvement Benefit to core
objectives Take smart risks Make more money Gain political capital
Don’t care about FUD (besides, it will
bite you anyway) “Moral correctness” Security technology
OWASP 5
Define a solution that addresses them
Control cost by finding defects early Provide a documented, repeatable
security testing process Provide trend reporting on the security
quality of production software
Security is Quality
OWASP 6
Cost control
OWASP 7
And tie it back to core objectives
Take smart risks? Increased knowledge of risks means you can
accept risk thoughtfully Make more money?
Reducing cost shows up on bottom lineEarly fixes mean being faster to market
Gain political capital?Measurably improving security is a nice
“feather”Measurably improving quality is even better
OWASP 8
Introduce a solution that fits
Static Code Analysis meets all these objectives; we need technology that makes it practical
OWASP 9
Selling Process over Product
Security is QualityStatic Code Analysis is a Quality Assurance process
The process is too expensive and time-consuming without technology to automate
major portions
OWASP 10
Quality
Performance
Usability
Suitability
Reliability
Reusability
Security
OWASP 11
Plan
Author
TestImprove
Report
Technology helps here
And here
OWASP 12
Building your army
Developers are not the enemy: they’re your best ally
OWASP 13
Focus on development concerns
Care about Delivering quality
software Quality means “meets
requirements”
Releasing on time Fewer surprises during
UAT
Security Really!
Don’t care about Anything untestable
Politics
Developer “performance” measurements Too easy to game
OWASP 14
Define a solution that addresses them
Provide clear security requirements
Make them reliably testable
Get results continuously
Security is Quality
OWASP 15
Introduce a solution that fits
Static Code Analysis meets all these objectives; we need technology that makes it practical
OWASP 16
And another thing…
The number one resistance to Static Analysis is fear of measurement:
Commit to a strict NO PUNISHMENT policyDon’t capture what happens outside of QACommit to educating management on why
security defects aren’t a measure of developer quality
Show that you get it – you’re on the same side
OWASP 17
You only have one goal
We want this! When can we
have it?
OWASP 18
Quick start
The “right way” takes yearsProcesses and governance are hardMust be established iteratively
You need to return value sooner than that:Deploy build-onlyBuy a Center of Excellence
OWASP 19
Integrating with your SDLC
You don’t win until Security is Quality
Focus on outcomes, not tollgates
Avoid write-only documentation
OWASP 21
Community Involvement
Local OWASP Chapterhttps://www.owasp.org/index.php/Category:OWASP_Chapter
Local DefCON groups (e.g. DC612)http://dc612.org
Local Hackerspaces (e.g. Hack Factory)http://tcmaker.orghttp://hackerspaces.org