Selling Static Code Analysis               how to start fast and finish strong                          Darren Meyer      ...
OverviewConvincing managementSelling Process over ProductGetting development team partnershipQuick startIntegrating w...
Convincing management                          Demonstrate                          Specific Fit             Define the   ...
Focus on Management concernsCare about                     Don’t care about Cost                          FUD (besides, ...
Define a solution that addresses them Security is Quality   Control cost by finding defects early   Provide a documented...
Cost control               OWASP   6
And tie it back to core objectivesTake smart risks?   Increased knowledge of risks means you can accept    risk thoughtf...
Introduce a solution that fits      Static Code Analysis meets all these      objectives; we need technology that      mak...
Selling Process over ProductSecurity is QualityStatic Code Analysis is a Quality Assurance processThe process is too expen...
Performance Security                    Usability              QualityReusability                  Suitability            ...
And here                    Plan           Report            Author                                      Technology       ...
Building your army       Developers are not the enemy:           they’re your best ally                                   ...
Focus on development concernsCare about                        Don’t care about Delivering quality               Anythin...
Define a solution that addresses them Security is Quality  Provide clear security requirements  Make them reliably testa...
Introduce a solution that fits      Static Code Analysis meets all these      objectives; we need technology that      mak...
And another thing…The number one resistance to Static Analysis isfear of measurement:Commit to a strict NO PUNISHMENT poli...
You only have one goal          We want this! When           can we have it?                               OWASP   17
Quick startThe “right way” takes years  Processes and governance are hard  Must be established iterativelyYou need to ...
Integrating with your SDLCYou don’t win until Security is QualityFocus on outcomes, not tollgatesAvoid write-only docum...
Community InvolvementLocal OWASP Chapter  https://www.owasp.org/index.php/Category:OWASP_ChapterLocal DefCON groups (e.g...
Upcoming SlideShare
Loading in …5
×

AppSec USA 2011 - Selling Static Code Analysis

680 views

Published on

Presented as a pre-conference webcast for AppSec USA; recording of that webcast is available at http://www.ustream.tv/recorded/17252001

Covers selling the need for Static Code Analysis to management and development teams

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
680
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AppSec USA 2011 - Selling Static Code Analysis

  1. 1. Selling Static Code Analysis how to start fast and finish strong Darren Meyer @dm914 http://about.me/darrenpmeyerOWASPSep 13, 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. OverviewConvincing managementSelling Process over ProductGetting development team partnershipQuick startIntegrating with your SDLCExpanding your SSA program OWASP 2
  3. 3. Convincing management Demonstrate Specific Fit Define the Solution Frame the Space Problem OWASP 3
  4. 4. Focus on Management concernsCare about Don’t care about Cost  FUD (besides, it will bite Evidence of due care you anyway) Proof of improvement  “Moral correctness” Benefit to core objectives  Security technology  Take smart risks  Make more money  Gain political capital OWASP 4
  5. 5. Define a solution that addresses them Security is Quality Control cost by finding defects early Provide a documented, repeatable security testing process Provide trend reporting on the security quality of production software OWASP 5
  6. 6. Cost control OWASP 6
  7. 7. And tie it back to core objectivesTake smart risks? Increased knowledge of risks means you can accept risk thoughtfullyMake more money? Reducing cost shows up on bottom line Early fixes mean being faster to marketGain political capital? Measurably improving security is a nice “feather” Measurably improving quality is even better OWASP 7
  8. 8. Introduce a solution that fits Static Code Analysis meets all these objectives; we need technology that makes it practical OWASP 8
  9. 9. Selling Process over ProductSecurity is QualityStatic Code Analysis is a Quality Assurance processThe process is too expensive and time-consuming without technology to automate major portions OWASP 9
  10. 10. Performance Security Usability QualityReusability Suitability Reliability OWASP 10
  11. 11. And here Plan Report Author Technology helps here Improve Test OWASP 11
  12. 12. Building your army Developers are not the enemy: they’re your best ally OWASP 12
  13. 13. Focus on development concernsCare about Don’t care about Delivering quality  Anything untestable software  Quality means “meets  Politics requirements” Releasing on time  Developer “performance”  Fewer surprises during UAT measurements  Too easy to game Security  Really! OWASP 13
  14. 14. Define a solution that addresses them Security is Quality Provide clear security requirements Make them reliably testable Get results continuously OWASP 14
  15. 15. Introduce a solution that fits Static Code Analysis meets all these objectives; we need technology that makes it practical OWASP 15
  16. 16. And another thing…The number one resistance to Static Analysis isfear of measurement:Commit to a strict NO PUNISHMENT policy Don’t capture what happens outside of QA Commit to educating management on why security defects aren’t a measure of developer quality Show that you get it – you’re on the same side OWASP 16
  17. 17. You only have one goal We want this! When can we have it? OWASP 17
  18. 18. Quick startThe “right way” takes years Processes and governance are hard Must be established iterativelyYou need to return value sooner than that: Deploy build-only Buy a Center of Excellence OWASP 18
  19. 19. Integrating with your SDLCYou don’t win until Security is QualityFocus on outcomes, not tollgatesAvoid write-only documentation OWASP 19
  20. 20. Community InvolvementLocal OWASP Chapter https://www.owasp.org/index.php/Category:OWASP_ChapterLocal DefCON groups (e.g. DC612) http://dc612.orgLocal Hackerspaces (e.g. Hack Factory) http://tcmaker.org http://hackerspaces.org OWASP 21

×