Selling Security to Software Developers

Selling Security to Software Developers
Brian Chess

Citation
Brian Chess. "Selling Security to Software Developers". Talk or presentation, 12, April, 2007.

Abstract
Over the past ten years, static analysis has undergone a rebirth in both the academic and the commercial world. At the same time, security has become a critical topic for software makers. At the confluence of these trends is a new crop of static analysis tools that identify software security bugs in source code. This talk covers what I have learned during the process of creating and selling a commercial static analysis product. Some of the lessons about static analysis are intuitive (better analysis results lead to better sales), while some are not (when a customer says "false positive" what they mean is "result I do not like"). In addition to relating my experience with static analysis, I will take a look at the differences between software security as addressed in the academic community and as practiced by software developers in the "real world."

Electronic downloads

chess%20berkeley%204.2007.pdf · application/pdf · 4520 kbytes

Citation formats

HTML

Brian Chess. <a
href="http://www.truststc.org/pubs/253.html"
><i>Selling Security to Software
Developers</i></a>, Talk or presentation,  12,
April, 2007.

Plain text

Brian Chess. "Selling Security to Software
Developers". Talk or presentation,  12, April, 2007.

BibTeX

@presentation{Chess07_SellingSecurityToSoftwareDevelopers,
    author = {Brian Chess},
    title = {Selling Security to Software Developers},
    day = {12},
    month = {April},
    year = {2007},
    abstract = {Over the past ten years, static analysis has
              undergone a rebirth in both the academic and the
              commercial world. At the same time, security has
              become a critical topic for software makers. At
              the confluence of these trends is a new crop of
              static analysis tools that identify software
              security bugs in source code. This talk covers
              what I have learned during the process of creating
              and selling a commercial static analysis product.
              Some of the lessons about static analysis are
              intuitive (better analysis results lead to better
              sales), while some are not (when a customer says
              "false positive" what they mean is "result I do
              not like"). In addition to relating my experience
              with static analysis, I will take a look at the
              differences between software security as addressed
              in the academic community and as practiced by
              software developers in the "real world."},
    URL = {http://www.truststc.org/pubs/253.html}
}

Posted by Alvaro Cardenas on 24 Apr 2007.
Groups: trustseminar
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.