STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS!...
Transcript of STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS!...
![Page 1: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/1.jpg)
STATIC CODE ANALYSIS
IN THE FEDERAL GOVERNMENT
2011 Nominee Interna>onal Security Execu>ves (ISE®) Informa>on Security Project of the Year
North America Government Sector
![Page 2: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/2.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
A Presentation by The
![Page 3: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/3.jpg)
“IF YOU AREN’T DOING
STATIC CODE ANALYSIS RIGHT, WHAT ELSE AREN’T YOU DOING RIGHT?
![Page 4: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/4.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits 4
Friedrich Nietzsche “Sometimes people don't want to hear the truth because they don't want their illusions destroyed.”
How Lewis Black might have said it. “Sometimes people don't want to hear the truth because they don't want their delusions destroyed.”
![Page 5: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/5.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
A WORD OF CAUTION I speak differently from the rest of the real world and NIST
Sta@c Code Analysis in John’s World Means Code Quality Checking
Sta@c Security Analysis in John’s World is What Most of You Call Sta@c Code Analysis
I Apologize In advance For Any Confusion
4
![Page 6: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/6.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
MY LIMITED OBSERVATIONS
15
![Page 7: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/7.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
Software Assurance is the level of confidence that software 1.) is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle and 2. ) that the software functions in the intended manner. (CNSS Instruction No. 4009, 26 April 2010)
NATIONAL APPROACH
6
![Page 8: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/8.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
Software Assurance is the level of confidence that software 2.) functions as intended and 1.) is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle. – Mandated by Federal Law - Section 932, 2011 NDAA – Defined by Federal Law – Section 933, 2013 NDAA – New Guidance – Section 937, 2014 NDAA
A Systems Engineering discipline implemented in Newly-Released 5000.02 – Supports Information Assurance: DISA STIG ID APP5080 – Supports Test and Evaluation: DISA STIG IS APP5100
Laws and Policies Now MANDATE use of Automated Scanning Tools
8
DOD STRATEGY
![Page 9: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/9.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
RESULTS OF PARTICIPATION IN MULTIPLE EVENTS
About 10% Are Already Doing Rigorous Static Analysis – Primary Emphasis on Security Vulnerabilities – But…….
Another 10% Are In The Planning/Early Implementation Stage
Another 10% Have Done Their First Scans and Are Terrified With The Results
The Other 70% Are Wondering Who I Am and How Quickly Can They Run And Hide From Me
![Page 10: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/10.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
SHARED “SECRETS”
Rigorous Reduction of Security Vulnerabilities Using Automated Tools By Conscientious Developers DIRECTLY Results In Improved Code Quality – And Vice Versa……..
High Failure Rates During Operational Testing Can Be DIRECTLY Correlated To High Security Defect Density and High Code Quality “Technical Debt.”
![Page 11: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/11.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
The Value Proposition
13
![Page 12: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/12.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits 12
Aldous Huxley “Facts do not cease to exist because they are ignored.”
![Page 13: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/13.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
DEFECT DENSITY -‐ BASIC MODEL* Requirements Analysis/Design
Code/Unit Tes@ng
Government Tes@ng
Produc@on/ Deployment
Total Cost/ Investment
Return on Investment
Error Distribu@on
10% 20% 55% 15%
Hours to Correct
50 120 380
Cost per Hour $100 $100 $100
Cost to Fix 1000 Errors
$1,000,000 $6,600,000 $5,700,000 $13,300,000
• *Stewart-‐Priven Group, 2009 Presenta@on to PMI-‐MHS “Sobware Inspec@on Success” • DAU Advanced Test and Evalua@on (TST 303)
14
![Page 14: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/14.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
RETURN ON INVESTMENT
15
![Page 15: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/15.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits 15
Why Focus on ROI?
![Page 16: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/16.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits 16
Clinger-Cohen SEC. 5122. CAPITAL PLANNING AND INVESTMENT CONTROL.
(a) DESIGN OF PROCESS- In fulfilling the responsibilities assigned under section 3506(h) of title 44, United States Code, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value and assessing and managing the risks of the information technology acquisitions of the executive agency.
(b) CONTENT OF PROCESS- The process of an executive agency shall--
(1) provide for the selection of information technology investments to be made by the executive agency, the management of such investments, and the evaluation of the results of such investments;
(2) be integrated with the processes for making budget, financial, and program management decisions within the executive agency;
(3) include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, including criteria related to the quantitatively expressed projected net, risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects;
(4) provide for identifying information systems investments that would result in shared benefits or costs for other Federal agencies or State or local governments;
(5) provide for identifying for a proposed investment quantifiable measurements for determining the net benefits and risks of the investment; and
(6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.
![Page 17: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/17.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
20% DEFECT REMOVAL ROI MODEL Requirements Analysis/Design
Code/Unit Tes@ng
Government Tes@ng
Produc@on/ Deployment
Total Cost/ Investment
Return on Investment
Error Distribu-on 10% 20% 55% 15%
Hours to Correct 50 120 380
Cost per Hour $100 $100 $100
Cost to Fix 1000 Errors
$1,000,000 $6,600,000 $5,700,000 $13,300,000
SCQC Applied
Error Distribu@on 10% 40% 45% 5%
Hours to Correct 50 120 380
Cost per Hour $100 $100 $100
Cost to Fix 1000 Errors
$2,013,518 $5,400,000 $1,800,000 $9,213,158
Cost Avoidance $1,013,518 $1,200,000 $3,900,000 $4,086,842
SCQC Investment $1,868,230
ROI 118.75%
16
![Page 18: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/18.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
OBSERVED SCQC BENEFITS Tes@ng by itself is @me consuming and not very efficient.* – Most forms of tes-ng only find about 35% of the bugs that are present.
Sta@c analysis prior to tes-ng is very quick and about 85% efficient. – As a result, when tes-ng starts there are so few bugs present that tes-ng schedules are cut down by perhaps 50%.
– Sta-c analysis will also find some structural defects that are not usually found by tes-ng.
Sta@c Security Analysis prior to DIACAP tes-ng may find, and be able to help correct, a large number of the Applica@ons Source Code defects iden-fied during Informa-on Assurance tes-ng. – When combined with Manual Code Review and Dynamic Analyses, can reduce “False Posi-ves.”
17
*Capers Jones -‐Dis@nguished Advisor to the Consor@um for IT Sobware Quality (CISQ). CISQ brings together industry execu@ves from Global 2000 IT organiza@ons, system integrators, outsourcers, and package vendors to jointly address the challenge of standardizing the measurement of IT sobware quality and to promote a market-‐based ecosystem to support its deployment.
![Page 19: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/19.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
85% DEFECT REMOVAL ROI MODEL Requirements Analysis/Design
Code/Unit Tes-ng
Government Tes-ng
Produc-on/ Deployment
Total Cost/ Investment
Return on Investment
Error Distribu@on 10% 20% 55% 15%
Hours to Correct 50 120 380
Cost per Hour $100 $100 $100
Cost to Fix 1000 Errors
$1,000,000 $6,600,000 $5,700,000 $13,300,000
SCQC Applied
Error Distribu@on 10% 80% 7% 3%
Hours to Correct 50 120 380
Cost per Hour $100 $100 $100
Cost to Fix 1000 Errors
$2,960,000 $621,600 $843,600 $4,425,000
Cost Avoidance $1,960,000 $5,978,400 $4,856,400 $8,874,000
SCQC Investment $1,868,230
ROI 375.04%
18
![Page 20: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/20.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
WHAT’S THE PROBLEM WITH THE MODEL?
23
![Page 21: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/21.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
MODEL ISSUES The Numbers in Red Are Today’s BUDGET Issues
The Benefits Appear In The Out-‐Years
Managers Worry About Budgets
Leaders Look To The Future
Are You a Manager or Are You a Leader?
24
![Page 22: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/22.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
WHAT ABOUT SOME PERSONAL EXPERIENCES?
![Page 23: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/23.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
Began Using An Automated Tool – February 2013 – Fully Integrated Into Development Environment
• Works with IDE and Code Quality Tools – 56% Defect Reduction in Three (3) Weeks – Second Lowest Defect Density (1.07%) in My Recent History – Achieved 0.21% DEFECT DENSITY AS OF 9 AUGUST 2013
• 184 Defects in 86,382 Lines of Code – Achieved .004244% DEFECT DENSITY AS OF 11 FEBRUARY 2014
• 5 Defects in 117,804 Lines of Code
HOWEVER – 526 Defects Mitigated By Compensating Controls
• Log Forging • System Information Leak
PROJECT X
28
![Page 24: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/24.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
WHAT ABOUT AGILE DEVELOPMENT?
![Page 25: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/25.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
AGILE DEVELOPMENT MODEL
25
Initial Requirements and Architecture Models
Sprint #1
Sprint #3
Sprint #2
Sprint #4
Sprint #9
Sprint #8
Sprint #5
Establish Battle-Rhythm
Lessons Learned
Lessons Learned
Lessons Learned
Lessons Learned
Lessons Learned
Lessons Learned
CODE DROP &
AUDIT
Refine Results
CODE DROP &
AUDIT
CODE DROP &
AUDIT
CODE DROP &
AUDIT
Etc.
![Page 26: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/26.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
WHAT WAS THE END RESULT?
0 defects detected in
per-production environment
![Page 27: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/27.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
WHAT KEEPS ME AWAKE AT NIGHT?
![Page 28: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/28.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
SOME THINKING ABOUT TOOLS “A Fool With A Tool is S>ll a Fool”
Ø PMT256 -‐ Program Management Tools Course
Ø TST203 -‐ Intermediate Test and Evalua>on
Ø Director, Federal Reserve Informa>on Technology
To achieve success you need a combina>on of :
Ø Skilled People
Ø Disciplined Processes
Ø Enabling Tools and Technologies 11
![Page 29: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/29.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits
OTHER ISSUES Becoming a Commodity
Failure To Document Lessons-Learned – Tie Today’s and/or Tomorrow’s Successes To Past
Performance (or lack thereof)
29
![Page 30: STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! V 13 Federal Keane.pdf · STATIC!CODE!ANALYSIS! IN! THE!FEDERAL!GOVERNMENT! 2011Nominee Interna>onal!Security!Execu>ves(ISE®)! Informaon!Security!Projectof!the!Year!](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee2c8e2ad6a402d666d0e75/html5/thumbnails/30.jpg)
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of Seamless Health Care and Benefits 30 30
Ques>ons?