Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap

Published byMaryann Cummings Modified over 6 years ago

Similar presentations

Presentation on theme: "OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap"— Presentation transcript:

1 OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap
Mike Ware Cigital mware at cigital dot com 4/8/09

2 Cover the ins and outs of Static Analysis
OWASP SA Track: Goals Cover the ins and outs of Static Analysis Who, What, When, Where, How, Why Provide hands-on experience using commercially available tools Provide hands-on tool customization guidance Provide guidance on organizational adoption and integration of SA into your SDLC Tool adoption: - who runs the tool (central team or DEV), when is the tool run (coding time, build time, major milestone), what happens after the tool is run

3 OWASP SA Track: Delivery Approach
Vendor supported sessions Participants will use full tool version during hands-on sessions LiveCD will have all necessary material pre-installed for *use in the lab* Both lecture style presentations and hands-on labs Lecture content will be as tool agnostic as possible Hands-on labs will focus on understanding how to reach a tool’s full potential Will strive to record sessions but may not always be possible

4 OWASP SA Track Roadmap SESSION TOPIC Lecture 2 hours Lab w/ Expert
Intro To Static Analysis 1 Tool Assisted Code Reviews 2 Fortify SCA Ounce Labs Customization Lab 3 Fortify SCA Customization Lab 4 Ounce Labs Tool Adoption and Deployment 5

5 OWASP SA Track Contacts
Curriculum content to be sent out to mailing list soon If you have questions, feedback, or suggestions for curriculum, please contact one of us: Eric Dalci: edalci at cigital dot com Mike Ware: mware at cigital dot com

6 Session 1: Intro to Static Analysis (SA)
Objectives: Be able to answer What purpose do SA tools serve? What benefits are reaped for DEV and SEC? How do SA tools work? What are the inputs? What insecure coding patterns do SA tools target? What are the outputs? What can/can’t SA do? How does SA find common problems (e.g., XSS, SQL Injection) vs. DA (dynamic analysis)? How do SA tools fit in a development process? Who runs the tool? When is the tool run? What happens after the tool is run?

7 Session 2: Tool Assisted Code Reviews
Objectives Knowledge: “security expert in a box” Understand a tool’s vulnerability taxonomy Understand a tool’s analysis engine Scanning Learn how to execute scans (against WebGoat) Learn what scanning options are available As a code review facilitator Become familiar with a tool’s interface Learn how to triage tool findings Learn about a tool’s reporting features Customizations Learn what options are available for customizing tools

8 Sessions 3 and 4: Customization Labs
Separate sessions for each tool Session 3: Fortify SCA Session 4: Ounce Labs Objectives Learn how to identify or disqualify candidate rules Learn about a tool’s customization features How are customizations applied by the tool’s analysis engine? Write custom rules to: Achieve better accuracy Decrease false positives, increase true positives Achieve better vulnerability coverage Find vulnerabilities uncovered during manual code reviews Enforce example corporate coding standards Identify an organization’s top problems Learn how to test the accuracy of rules

9 Session 5: Tool Adoption and Deployment
Objectives How do I select a tool? How should I integrate a tool into my SDLC? Initial Goals and Challenges Roles and Responsibilities Advantages and Disadvantages of Deployment Scenarios Effort and Costs Discuss how to deal with tool advances when adopting and deploying Discuss lessons learned in effectively leveraging SA within software process ecosystems Continuous integration Combining analysis techniques

Download ppt "OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap"

Similar presentations

Testing and Quality Assurance

Testing and Quality Assurance
HP Quality Center Overview.

HP Quality Center Overview.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.

Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.
Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.

Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.

© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.
Visual Studio 2005 Team System Winning the testing space with advanced testing tools Eric Adams Program Manager Visual Studio 2005 Team System Microsoft.

Visual Studio 2005 Team System Winning the testing space with advanced testing tools Eric Adams Program Manager Visual Studio 2005 Team System Microsoft.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BSBPMG404A Apply Quality Management Techniques Apply Quality Management Techniques Project Quality Processes C ertificate IV in Project Management 17871.

BSBPMG404A Apply Quality Management Techniques Apply Quality Management Techniques Project Quality Processes C ertificate IV in Project Management
Lecture 10 More Innovation SE3821 Software Requirements and Specification Dr. Rob Hasker (based on slides by Dr. Brad Dennis)

Lecture 10 More Innovation SE3821 Software Requirements and Specification Dr. Rob Hasker (based on slides by Dr. Brad Dennis)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Visual Studio 2005 Team System: Enabling Better Software Through Testing Tejasvi Kumar Technology Specialist - VSTS Microsoft Corporation

Visual Studio 2005 Team System: Enabling Better Software Through Testing Tejasvi Kumar Technology Specialist - VSTS Microsoft Corporation

Similar presentations

Ads by Google