Code Review and Static Analysis with tools

Chapter: OWASP NoVA >>  Knowledge

Code Review and Static Analysis with tools
 What: Secure Code Review Who: Performed by Security Analysts Where it fits: BSIMM Secure Code Review Cost: Scales with depth, threat facing application, and application size/complexity 

This article will answer the following questions about secure code review and use of static analysis tools:  What are static analysis tools and how do I use them? How do I select a static analysis tool? How do I customize a static analysis tool? How do I scale my assessment practices with secure code review? 

Organizational
How do I scale my assessment practices with secure code review?

Implementing a static analysis tool goes a long way to providing a force multiplier for organizations.

INSERT SA TOOL IMPLEMENTATION PPT HERE

For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:

Maturing Assessment Through Static Analysis