Selling Security to Software Developers: Lessons Learned While Building a Commercial Static Analysis Tool

Over the past ten years, static analysis has undergone a rebirth in both the academic and the commercial world. At the same time, security has become a critical topic for software makers. At the confluence of these trends is a new crop of static analysis tools that identify software security bugs in source code.

This talk covers what I have learned during the process of creating and selling a commercial static analysis product. Some of the lessons about static analysis are intuitive (better analysis results lead to better sales), while some are not (when a customer says "false positive" what they mean is "result I do not like"). In addition to relating my experience with static analysis, I will take a look at the differences between software security as addressed in the academic community and as practiced by software developers in the "real world."

Brian Chess is Chief Scientist at Fortify Software. His work focuses on practical methods for creating secure systems. Brian draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters.

Brian received his Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Prior to joining Fortify, Brian spent a decade in Silicon Valley working at both big and small companies and thinking about both software and hardware problems. Small companies and software problems came out on top.