https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=MwareOWASP - User contributions [en]2026-04-22T16:36:19ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=58552Code Review and Static Analysis with tools2009-04-08T21:05:55Z<p>Mware: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Mwarehttps://wiki.owasp.org/index.php?title=Knowledge&diff=58551Knowledge2009-04-08T21:04:58Z<p>Mware: </p>
<hr />
<div>The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS</div>Mwarehttps://wiki.owasp.org/index.php?title=Knowledge&diff=58543Knowledge2009-04-08T20:40:41Z<p>Mware: </p>
<hr />
<div>The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].</div>Mwarehttps://wiki.owasp.org/index.php?title=File:OWASP_NoVA_SA_Track_Final_20090408.ppt&diff=58541File:OWASP NoVA SA Track Final 20090408.ppt2009-04-08T20:40:11Z<p>Mware: uploaded a new version of "Image:OWASP NoVA SA Track Final 20090408.ppt"</p>
<hr />
<div>Overview of the goals, objectives, and roadmap for the OWASP NoVA Static Analysis Track</div>Mwarehttps://wiki.owasp.org/index.php?title=File:OWASP_NoVA_SA_Track_Final_20090408.ppt&diff=58533File:OWASP NoVA SA Track Final 20090408.ppt2009-04-08T20:31:43Z<p>Mware: Overview of the goals, objectives, and roadmap for the OWASP NoVA Static Analysis Track</p>
<hr />
<div>Overview of the goals, objectives, and roadmap for the OWASP NoVA Static Analysis Track</div>Mware