Selling Security To Software Developers: Lessons Learned While Building A Commercial Static Analysis Tool

No ratings

Presented at 15th USENIX Security Symposium 2006 by

Brian Chess

Over the past ten years, static analysis has undergone a rebirth in both the academic and the commercial world. At the same time, security has become a critical topic for software makers. At the confluence of these trends is a new crop of static analysis tools that identify software security bugs in source code. This talk covers what I have learned during the process of creating and selling a commercial static analysis product. Some of the lessons about static analysis are intuitive (better analysis results lead to better sales), while some are not (when a customer says "false positive" what they mean is "result I do not like"). In addition to relating my experience with static analysis, I will take a look at the differences between software security as addressed in the academic community and as practiced by software developers in the "real world."