[WASC-SATEC] Phase II: Are you an author or reviewer?

McGovern, James james.mcgovern at hp.com
Mon Jan 9 17:04:32 EST 2012


Count me in as a reviewer. In the meantime, I have the following questions/thoughts:


*         How should we separate out static analysis in terms of tools that do security vs the ones that do quality? They do produce different metrics, etc

*         When I was at The Hartford, we had a big focus on reporting. This included an understanding not just of the code characteristics, but departments, divisions and developers who wrote the best vs worst, etc

*         We also wanted a richer classification that just grouping of "projects" For example, if ten applications used Struts then we wanted to understand cross-cutting concerns.

*         We also cared about integration. For example, could we prevent Cognizant developers from seeing how suboptimal the results were from code written by BLANK

*         At times, we wanted to export report data, you know the habit of doing interesting pivots in Excel

*         Bug tracking shouldn't assume one repository, so this needs to work in a federated manner

*         Could I access the reports and not require yet another username/password and instead consume enterprise identity

*         I really hate having to install an application desktop by desktop and would rather incorporate this into a desktop build. Some vendors license tracking became an impediment

*         Does it make sense for every project that uses Spring to scan Spring or could I somehow "include" other scan results

From: wasc-satec-bounces at lists.webappsec.org [mailto:wasc-satec-bounces at lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Monday, January 09, 2012 4:40 PM
To: wasc-satec at lists.webappsec.org
Subject: [WASC-SATEC] Phase II: Are you an author or reviewer?

Hi All,

So we have been working for about 4-5 months now, trying to figure out what matters most to software companies which may be trying to acquire a Static Code Analysis tool. I think we have a very good set of criteria, which were vetted several times, these were captured in the form of categories and sub-categories (headers and sub-headers mainly) in the Wiki page here http://projects.webappsec.org/w/page/42093482/Static%20Analysis%20Tool%20Evaluation%20Criteria%20Working.

So now we got the categories and sub-categories locked down, we need to start the next phase, which is about fleshing the categories and sub-categories out and explain what each of them means. If you need an example, please visit the WASSEC project http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria to get a sense of how the finished criteria would look like.

Now, we need authors who are going to actually start fleshing out (write\explain) the categories and sub-categories and we need reviewers who will review the authors' work and suggest modifications.

if you have cycles in the next two month, please reply to this email with either "Author" or "Reviewer" to indicate the role you would like to play in the next period.

Ideally, we would like to keep the workload per contributor to less than 2 hours a week for the next two months. We should be able to achieve this considering that we have almost 40 people on this mailing list.

Please let me know if you had any comments, suggestions or questions.

Regards,
Sherif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-satec_lists.webappsec.org/attachments/20120109/26a144e4/attachment-0003.html>


More information about the wasc-satec mailing list