OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap Mike Ware Cigital mware at cigital dot com 4/8/09

Cover the ins and outs of Static Analysis OWASP SA Track: Goals Cover the ins and outs of Static Analysis Who, What, When, Where, How, Why Provide hands-on experience using commercially available tools Provide hands-on tool customization guidance Provide guidance on organizational adoption and integration of SA into your SDLC Tool adoption: - who runs the tool (central team or DEV), when is the tool run (coding time, build time, major milestone), what happens after the tool is run

OWASP SA Track: Delivery Approach Vendor supported sessions Participants will use full tool version during hands-on sessions LiveCD will have all necessary material pre-installed for *use in the lab* Both lecture style presentations and hands-on labs Lecture content will be as tool agnostic as possible Hands-on labs will focus on understanding how to reach a tool’s full potential Will strive to record sessions but may not always be possible

OWASP SA Track Roadmap SESSION TOPIC Lecture 2 hours Lab w/ Expert Intro To Static Analysis 1 Tool Assisted Code Reviews 2 Fortify SCA Ounce Labs Customization Lab 3 Fortify SCA Customization Lab 4 Ounce Labs Tool Adoption and Deployment 5

OWASP SA Track Contacts Curriculum content to be sent out to mailing list soon If you have questions, feedback, or suggestions for curriculum, please contact one of us: Eric Dalci: edalci at cigital dot com Mike Ware: mware at cigital dot com

Session 1: Intro to Static Analysis (SA) Objectives: Be able to answer What purpose do SA tools serve? What benefits are reaped for DEV and SEC? How do SA tools work? What are the inputs? What insecure coding patterns do SA tools target? What are the outputs? What can/can’t SA do? How does SA find common problems (e.g., XSS, SQL Injection) vs. DA (dynamic analysis)? How do SA tools fit in a development process? Who runs the tool? When is the tool run? What happens after the tool is run?

Session 2: Tool Assisted Code Reviews Objectives Knowledge: “security expert in a box” Understand a tool’s vulnerability taxonomy Understand a tool’s analysis engine Scanning Learn how to execute scans (against WebGoat) Learn what scanning options are available As a code review facilitator Become familiar with a tool’s interface Learn how to triage tool findings Learn about a tool’s reporting features Customizations Learn what options are available for customizing tools

Sessions 3 and 4: Customization Labs Separate sessions for each tool Session 3: Fortify SCA Session 4: Ounce Labs Objectives Learn how to identify or disqualify candidate rules Learn about a tool’s customization features How are customizations applied by the tool’s analysis engine? Write custom rules to: Achieve better accuracy Decrease false positives, increase true positives Achieve better vulnerability coverage Find vulnerabilities uncovered during manual code reviews Enforce example corporate coding standards Identify an organization’s top problems Learn how to test the accuracy of rules

Session 5: Tool Adoption and Deployment Objectives How do I select a tool? How should I integrate a tool into my SDLC? Initial Goals and Challenges Roles and Responsibilities Advantages and Disadvantages of Deployment Scenarios Effort and Costs Discuss how to deal with tool advances when adopting and deploying Discuss lessons learned in effectively leveraging SA within software process ecosystems Continuous integration Combining analysis techniques