Team for Research in
Ubiquitous Secure Technology

Selling Security to Software Developers
Brian Chess

Citation
Brian Chess. "Selling Security to Software Developers". Talk or presentation, 12, April, 2007.

Abstract
Over the past ten years, static analysis has undergone a rebirth in both the academic and the commercial world. At the same time, security has become a critical topic for software makers. At the confluence of these trends is a new crop of static analysis tools that identify software security bugs in source code. This talk covers what I have learned during the process of creating and selling a commercial static analysis product. Some of the lessons about static analysis are intuitive (better analysis results lead to better sales), while some are not (when a customer says "false positive" what they mean is "result I do not like"). In addition to relating my experience with static analysis, I will take a look at the differences between software security as addressed in the academic community and as practiced by software developers in the "real world."

Electronic downloads

Citation formats  
  • HTML
    Brian Chess. <a
    href="http://www.truststc.org/pubs/253.html"
    ><i>Selling Security to Software
    Developers</i></a>, Talk or presentation,  12,
    April, 2007.
  • Plain text
    Brian Chess. "Selling Security to Software
    Developers". Talk or presentation,  12, April, 2007.
  • BibTeX
    @presentation{Chess07_SellingSecurityToSoftwareDevelopers,
        author = {Brian Chess},
        title = {Selling Security to Software Developers},
        day = {12},
        month = {April},
        year = {2007},
        abstract = {Over the past ten years, static analysis has
                  undergone a rebirth in both the academic and the
                  commercial world. At the same time, security has
                  become a critical topic for software makers. At
                  the confluence of these trends is a new crop of
                  static analysis tools that identify software
                  security bugs in source code. This talk covers
                  what I have learned during the process of creating
                  and selling a commercial static analysis product.
                  Some of the lessons about static analysis are
                  intuitive (better analysis results lead to better
                  sales), while some are not (when a customer says
                  "false positive" what they mean is "result I do
                  not like"). In addition to relating my experience
                  with static analysis, I will take a look at the
                  differences between software security as addressed
                  in the academic community and as practiced by
                  software developers in the "real world."},
        URL = {http://www.truststc.org/pubs/253.html}
    }
    

Posted by Alvaro Cardenas on 24 Apr 2007.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.