Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap Mike Ware Cigital mware at cigital dot com 4/8/09

OWASP 2 OWASP SA Track: Goals  Cover the ins and outs of Static Analysis  Who, What, When, Where, How, Why  Provide hands-on experience using commercially available tools  Provide hands-on tool customization guidance  Provide guidance on organizational adoption and integration of SA into your SDLC

OWASP 3 OWASP SA Track: Delivery Approach  Vendor supported sessions  Participants will use full tool version during hands-on sessions  LiveCD will have all necessary material pre-installed for *use in the lab*  Both lecture style presentations and hands-on labs  Lecture content will be as tool agnostic as possible  Hands-on labs will focus on understanding how to reach a tool’s full potential  Will strive to record sessions but may not always be possible

OWASP OWASP SA Track Roadmap 4 Intro To Static Analysis Tool Assisted Code Reviews Tool Adoption and Deployment Fortify SCAOunce Labs Customization Lab Fortify SCA Customization Lab Ounce Labs SESSIONTOPIC 1 Lecture 2 hours Lab w/ Expert 2-3 hours Lab w/ Expert 3 hours Lab w/ Expert 3 hours Lecture 2-3 hours

OWASP Session 1: Intro to Static Analysis (SA)  Objectives: Be able to answer  What purpose do SA tools serve?  What benefits are reaped for DEV and SEC?  How do SA tools work?  What are the inputs?  What insecure coding patterns do SA tools target?  What are the outputs?  What can/can’t SA do?  How does SA find common problems (e.g., XSS, SQL Injection) vs. DA (dynamic analysis)?  How do SA tools fit in a development process?  Who runs the tool?  When is the tool run?  What happens after the tool is run? 5

OWASP Session 2: Tool Assisted Code Reviews  Objectives  Knowledge: “security expert in a box”  Understand a tool’s vulnerability taxonomy  Understand a tool’s analysis engine  Scanning  Learn how to execute scans (against WebGoat)  Learn what scanning options are available  As a code review facilitator  Become familiar with a tool’s interface  Learn how to triage tool findings  Learn about a tool’s reporting features  Customizations  Learn what options are available for customizing tools 6

OWASP Sessions 3 and 4: Customization Labs  Separate sessions for each tool  Session 3: Fortify SCA  Session 4: Ounce Labs  Objectives  Learn how to identify or disqualify candidate rules  Learn about a tool’s customization features  How are customizations applied by the tool’s analysis engine?  Write custom rules to:  Achieve better accuracy –Decrease false positives, increase true positives  Achieve better vulnerability coverage –Find vulnerabilities uncovered during manual code reviews  Enforce example corporate coding standards  Identify an organization’s top problems  Learn how to test the accuracy of rules 7

OWASP Session 5: Tool Adoption and Deployment  Objectives  How do I select a tool?  How should I integrate a tool into my SDLC?  Initial Goals and Challenges  Roles and Responsibilities  Advantages and Disadvantages of Deployment Scenarios –Effort and Costs  Discuss how to deal with tool advances when adopting and deploying  Discuss lessons learned in effectively leveraging SA within software process ecosystems  Continuous integration  Combining analysis techniques 8

OWASP OWASP SA Track Contacts  Curriculum content to be sent out to mailing list soon  If you have questions, feedback, or suggestions for curriculum, please contact one of us:  Eric Dalci: edalci at cigital dot com  Mike Ware: mware at cigital dot com 9