Many companies, besieged by audit findings and application vulnerabilities, recognize the benefits of eliminating security vulnerabilities early in the software life cycle. For this reason, static analysis technologies for analyzing code-level security issues are gaining momentum in the industry. As a security and risk management executive, you must: 1) carefully prepare your organization before buying static analysis tools; 2) apply six selection criteria to the buying decision; and 3) consider the current landscape of vendors as well as emerging open source tools that provide an inexpensive alternative.