[WASC-SATEC] Phase II: Are you an author or reviewer?

Sherif Koussa sherif.koussa at gmail.com
Mon Jan 9 21:16:04 EST 2012


Hi James,

Thanks for your feedback, please find my replies below

Regards,
Sherif

On Mon, Jan 9, 2012 at 5:04 PM, McGovern, James <james.mcgovern at hp.com>wrote:

> Count me in as a reviewer. In the meantime, I have the following
> questions/thoughts:****
>
> ** **
>
> **·         **How should we separate out static analysis in terms of
> tools that do security vs the ones that do quality? They do produce
> different metrics, etc
>
Sherif: This project is focused on security tools only, now, thinking about
this, I am not sure if we reflected this fact enough in our documentation
efforts so far though

> ****
>
> **·         **When I was at The Hartford, we had a big focus on
> reporting. This included an understanding not just of the code
> characteristics, but departments, divisions and developers who wrote the
> best vs worst, etc
>
Sherif:  Reporting is indeed a big chunk of a tool's value, I am not sure
we should direct companies to pay too too much attention to it though. The
4 sub-categories that exist right now under reporting covers more than 95%,
I would imagine, of the reporting needs of companies, there is a risk of
adding more direction under reporting, the risk is that the criteria are
flat, so something like 3.5 Support for editing core rules, would be as
important as any other criteria in the document, there is no weight
associated to each criteria, at least for the current version we are
working.

> ****
>
> **·         **We also wanted a richer classification that just grouping
> of “projects” For example, if ten applications used Struts then we wanted
> to understand cross-cutting concerns.
>
Sherif:  I am not following, can you elaborate?

> ****
>
> **·         **We also cared about integration. For example, could we
> prevent Cognizant developers from seeing how suboptimal the results were
> from code written by BLANK
>
Sherif: that's indeed an interesting point. So you have an application,
written by multiple 3rd party software vendors, you scan the code, would
there be a way to show each vendor the findings of their own code and not
the code written by other vendors?

> ****
>
> **·         **At times, we wanted to export report data, you know the
> habit of doing interesting pivots in Excel
>
Sherif: One thing holding the SCA industry right now is porting results
from one tool to the other, or agreeing on a certain format to export
findings. But none of the SCA tools have this right now, not sure whether
there would be a value of adding it as a criteria if none supports it.

> ****
>
> **·         **Bug tracking shouldn’t assume one repository, so this needs
> to work in a federated manner
>
Sherif: I see your point, how would you change the current sub-category
though?

> ****
>
> **·         **Could I access the reports and not require yet another
> username/password and instead consume enterprise identity
>
Sherif: I am not sure, that would be in our criteria though. I would
imagine another company wanting to restrict access to the reports.

> ****
>
> **·         **I really hate having to install an application desktop by
> desktop and would rather incorporate this into a desktop build. Some
> vendors license tracking became an impediment
>
Sherif: Licensing is indeed an important issue. The main two players in
this industry has changed their licensing scheme several times during the
last 12 months, so I am not sure this is something we should dive into,
thoughts?

> ****
>
> **·         **Does it make sense for every project that uses Spring to
> scan Spring or could I somehow “include” other scan results
>
Sherif: that's an interesting point. But what is the value of including
other scan results? I am just thinking out loud here. It would be really
useful for per LOC licensing schemes, but most of the vendors have ditched
LOC licensing, so this is not a driver anymore. Saving time is probably not
a big concern. Would you see any other benefits for this?

> ****
>
> ** **
>
> *From:* wasc-satec-bounces at lists.webappsec.org [mailto:
> wasc-satec-bounces at lists.webappsec.org] *On Behalf Of *Sherif Koussa
> *Sent:* Monday, January 09, 2012 4:40 PM
>
> *To:* wasc-satec at lists.webappsec.org
> *Subject:* [WASC-SATEC] Phase II: Are you an author or reviewer?****
>
> ** **
>
> Hi All,****
>
> ** **
>
> So we have been working for about 4-5 months now, trying to figure out
> what matters most to software companies which may be trying to acquire a
> Static Code Analysis tool. I think we have a very good set of criteria,
> which were vetted several times, these were captured in the form of
> categories and sub-categories (headers and sub-headers mainly) in the Wiki
> page here
> http://projects.webappsec.org/w/page/42093482/Static%20Analysis%20Tool%20Evaluation%20Criteria%20Working
> . ****
>
> ** **
>
> So now we got the categories and sub-categories locked down, we need to
> start the next phase, which is about fleshing the categories and
> sub-categories out and explain what each of them means. If you need an
> example, please visit the WASSEC project
> http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria to
> get a sense of how the finished criteria would look like.****
>
> ** **
>
> Now, we need authors who are going to actually start fleshing out
> (write\explain) the categories and sub-categories and we need reviewers who
> will review the authors' work and suggest modifications.****
>
> ** **
>
> *if you have cycles in the next two month, please reply to this email
> with either "Author" or "Reviewer" to indicate the role you would like to
> play in the next period.*****
>
> ** **
>
> Ideally, we would like to keep the workload per contributor to less than 2
> hours a week for the next two months. We should be able to achieve this
> considering that we have almost 40 people on this mailing list.****
>
> ** **
>
> Please let me know if you had any comments, suggestions or questions.****
>
> ** **
>
> Regards,****
>
> Sherif****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-satec_lists.webappsec.org/attachments/20120109/aaea0964/attachment-0003.html>


More information about the wasc-satec mailing list