1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap Mike Ware Cigital mware at cigital dot com 4/8/09

2. OWASP 2 OWASP SA Track: Goals  Cover the ins and outs of Static Analysis  Who, What, When, Where, How, Why  Provide hands-on experience using commercially available tools  Provide hands-on tool customization guidance  Provide guidance on organizational adoption and integration of SA into your SDLC

3. OWASP 3 OWASP SA Track: Delivery Approach  Vendor supported sessions  Participants will use full tool version during hands-on sessions  LiveCD will have all necessary material pre-installed for *use in the lab*  Both lecture style presentations and hands-on labs  Lecture content will be as tool agnostic as possible  Hands-on labs will focus on understanding how to reach a tool’s full potential  Will strive to record sessions but may not always be possible

4. OWASP OWASP SA Track Roadmap 4 Intro To Static Analysis Tool Assisted Code Reviews Tool Adoption and Deployment Fortify SCAOunce Labs Customization Lab Fortify SCA Customization Lab Ounce Labs SESSIONTOPIC 1 Lecture 2 hours Lab w/ Expert 2-3 hours Lab w/ Expert 3 hours Lab w/ Expert 3 hours Lecture 2-3 hours 2 3 4 5

5. OWASP Session 1: Intro to Static Analysis (SA)  Objectives: Be able to answer  What purpose do SA tools serve?  What benefits are reaped for DEV and SEC?  How do SA tools work?  What are the inputs?  What insecure coding patterns do SA tools target?  What are the outputs?  What can/can’t SA do?  How does SA find common problems (e.g., XSS, SQL Injection) vs. DA (dynamic analysis)?  How do SA tools fit in a development process?  Who runs the tool?  When is the tool run?  What happens after the tool is run? 5

6. OWASP Session 2: Tool Assisted Code Reviews  Objectives  Knowledge: “security expert in a box”  Understand a tool’s vulnerability taxonomy  Understand a tool’s analysis engine  Scanning  Learn how to execute scans (against WebGoat)  Learn what scanning options are available  As a code review facilitator  Become familiar with a tool’s interface  Learn how to triage tool findings  Learn about a tool’s reporting features  Customizations  Learn what options are available for customizing tools 6

7. OWASP Sessions 3 and 4: Customization Labs  Separate sessions for each tool  Session 3: Fortify SCA  Session 4: Ounce Labs  Objectives  Learn how to identify or disqualify candidate rules  Learn about a tool’s customization features  How are customizations applied by the tool’s analysis engine?  Write custom rules to:  Achieve better accuracy –Decrease false positives, increase true positives  Achieve better vulnerability coverage –Find vulnerabilities uncovered during manual code reviews  Enforce example corporate coding standards  Identify an organization’s top problems  Learn how to test the accuracy of rules 7

8. OWASP Session 5: Tool Adoption and Deployment  Objectives  How do I select a tool?  How should I integrate a tool into my SDLC?  Initial Goals and Challenges  Roles and Responsibilities  Advantages and Disadvantages of Deployment Scenarios –Effort and Costs  Discuss how to deal with tool advances when adopting and deploying  Discuss lessons learned in effectively leveraging SA within software process ecosystems  Continuous integration  Combining analysis techniques 8

9. OWASP OWASP SA Track Contacts  Curriculum content to be sent out to mailing list soon  If you have questions, feedback, or suggestions for curriculum, please contact one of us:  Eric Dalci: edalci at cigital dot com  Mike Ware: mware at cigital dot com 9