The architect at Code Integrity Solutions and I were talking the other day about ownership of static analysis. Who truly "owns" static analysis and therefore drives its success or failure?
If you look at most large organizations, a central tools group ends up supporting the static analysis tool. I say "ends up" purposely because oftentimes they were not the drivers for bringing in the static analysis tool -- in some cases, they find out after the fact and simply told to support it once brought in-house. How well that tool is supported is a big factor in the tool's eventual success within the organization - however what is more important is knowing who is truly responsible for its adoption. Without a business driver, and therefore the metrics to understand whether the goal is being met, the source code analysis tool is left as a voluntary, nice-to-have tool that gets underutilized for the price paid.
Tools organizations without these strong business drivers are left to try to deploy a "carrot" solution, enticing the developers with its value. Left to their own devices, many developers have too much on their plate to do and may not see the big picture of how it can not only improve quality but also productivity. Inexperienced developers see the short term.
Some tools teams are very well tied into the business of building software and have the right knowledge and influence to make successful tools rollouts. Most tools team feel it is sufficient to set it up and let the developers decide if they want to use it. Someone in the organization has to care about its adoption and successful use. In some cases it's the development managers. In other cases it's the executive team who's tired of talking about quality and would rather talk about features. Quality assurance and central security also should have a vested interest in the use of these types of tools in the development process.
With the right business driver(s), the right process can be put in place to ensure usage, individual developers know that there are incentives and consequences to use of static analysis and progress can be measured to ensure successful adoption.