Security Static Analysis - Avoiding an Angry Mob of Engineers
The idea of Security Static Analysis is promising - point a tool at source code and magically find all of the security mistakes, hurray!
Clearly several organizations think so, as many compliance regimes require its usage, and most secure development guidance recommend it. In reality adopting static analysis into a development process is incredibly challenging, and can easily both fail to meet security objections and enrage the software engineers. This talk draws on many painful lessons learned deploying static analysis in several engineering organizations, with the goal of helping the audience better evaluate tools in the space, and have higher success deploying them.