Static Code Analysis tools are a wonderful addition to a strong application security program for any large-scale development effort - but their expense often causes management heartburn. This talk addresses how to:
1. Convince management of the value a Static Code Analysis tool can provide
2. Sell process over product
3. Get development teams on your side
4. Get a "quick and dirty" Static Code Analysis program up and running
5. Expand that nascent program into a mature part of a Secure SDLC
5a. Use Static Code Analysis to drive building a Secure SDLC if you don't have one
The material covered is based on the speaker's personal experience trying, failing, trying, and finally succeeding in accomplishing these things.
Part 1 - Convincing management
This segment covers approaches to articulating value of a Static Code Analysis tool - with or without an existing Secure SDLC program - to organization decision makers. In other words, this segment covers how to do a good sales job by showing managers things they care about.
FUD is discouraged.
Part 2 - Selling process over product
This segment emphasizes the importance of building good process - and advertising it - over selecting any particular product.
Part 3 - Getting development teams on your side
This segment covers various techniques to successfully market Static Code Analysis tools and processes to development teams. Successful marketing means that developers are pressuring their management to support adopting an Static Code Analysis process.
Included are common responses developers have to proposals to integrate Static Code Analysis toolkits and processes to their workflow, and responses that do and don't work.
Part 4 - Quick start
This segment covers rapidly and inexpensively building a proof of concept Static Code Analysis that highlights the need for sound process, but still returns a great deal of provable value. It also covers useful metrics and reporting to capture that can bolster the argument for an organization-wide adoption.
Risks and trade-offs of taking this approach are discussed.
Part 5 - Integrating into the SDLC
This segment covers "where to go from here" after a successful proof of concept. Considerations for integrating with Secure SDLCs at various points of maturity are provided, as well as discussions of making processes adaptable to various development lifecycle frameworks (e.g. waterfall, agile, etc.).
Also covered is how to use support for Static Code Analysis to drive building a Secure SDLC in an organization that's resistant to SDLC changes.
Darren is a senior technical architect working in application security at a large company in the Twin Cities area. He has over a decade of software development experience that informs his desire to support and educate developers in application security practice.