[WASC-SATEC] wasc-satec Digest, Vol 8, Issue 1

Mushtaq Ahmed (ITSNR) mushtaq.ahmed at emirates.com
Mon Jan 9 23:45:18 EST 2012


Mushtaq Ahmed - Reviewer

-----Original Message-----
From: wasc-satec-bounces at lists.webappsec.org
[mailto:wasc-satec-bounces at lists.webappsec.org] On Behalf Of
wasc-satec-request at lists.webappsec.org
Sent: 10 January 2012 06:16
To: wasc-satec at lists.webappsec.org
Subject: wasc-satec Digest, Vol 8, Issue 1

Send wasc-satec mailing list submissions to
	wasc-satec at lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit
	
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.o
rg

or, via email, send a message with subject or body 'help' to
	wasc-satec-request at lists.webappsec.org

You can reach the person managing the list at
	wasc-satec-owner at lists.webappsec.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of wasc-satec digest..."


Today's Topics:

   1. Phase II: Are you an author or reviewer? (Sherif Koussa)
   2. Re: Phase II: Are you an author or reviewer? (McGovern, James)
   3. Re: Phase II: Are you an author or reviewer? (Sherif Koussa)


----------------------------------------------------------------------

Message: 1
Date: Mon, 9 Jan 2012 16:39:38 -0500
From: Sherif Koussa <sherif.koussa at gmail.com>
To: wasc-satec at lists.webappsec.org
Subject: [WASC-SATEC] Phase II: Are you an author or reviewer?
Message-ID:
	
<CA+4St2DNm_aaPVXog=dC7_9P0wQYPq530exF7SyH9pVb=m=qAw at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi All,

So we have been working for about 4-5 months now, trying to figure out
what matters most to software companies which may be trying to acquire a
Static Code Analysis tool. I think we have a very good set of criteria,
which were vetted several times, these were captured in the form of
categories and sub-categories (headers and sub-headers mainly) in the
Wiki page here
http://projects.webappsec.org/w/page/42093482/Static%20Analysis%20Tool%2
0Evaluation%20Criteria%20Working
.

So now we got the categories and sub-categories locked down, we need to
start the next phase, which is about fleshing the categories and
sub-categories out and explain what each of them means. If you need an
example, please visit the WASSEC project
http://projects.webappsec.org/w/page/13246986/Web%20Application%20Securi
ty%20Scanner%20Evaluation%20Criteria
to
get a sense of how the finished criteria would look like.

Now, we need authors who are going to actually start fleshing out
(write\explain) the categories and sub-categories and we need reviewers
who will review the authors' work and suggest modifications.

*if you have cycles in the next two month, please reply to this email
with either "Author" or "Reviewer" to indicate the role you would like
to play in the next period.*

Ideally, we would like to keep the workload per contributor to less than
2 hours a week for the next two months. We should be able to achieve
this considering that we have almost 40 people on this mailing list.

Please let me know if you had any comments, suggestions or questions.

Regards,
Sherif
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.webappsec.org/pipermail/wasc-satec_lists.webappsec.org/att
achments/20120109/58e4dc8d/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 9 Jan 2012 22:04:32 +0000
From: "McGovern, James" <james.mcgovern at hp.com>
To: Sherif Koussa <sherif.koussa at gmail.com>,
	"wasc-satec at lists.webappsec.org"
<wasc-satec at lists.webappsec.org>
Subject: Re: [WASC-SATEC] Phase II: Are you an author or reviewer?
Message-ID:
	
<4861F6A0384C874894534A485C43C18FC761613384 at GVW0671EXC.americas.hpqcorp.
net>
	
Content-Type: text/plain; charset="us-ascii"

Count me in as a reviewer. In the meantime, I have the following
questions/thoughts:


*         How should we separate out static analysis in terms of tools
that do security vs the ones that do quality? They do produce different
metrics, etc

*         When I was at The Hartford, we had a big focus on reporting.
This included an understanding not just of the code characteristics, but
departments, divisions and developers who wrote the best vs worst, etc

*         We also wanted a richer classification that just grouping of
"projects" For example, if ten applications used Struts then we wanted
to understand cross-cutting concerns.

*         We also cared about integration. For example, could we prevent
Cognizant developers from seeing how suboptimal the results were from
code written by BLANK

*         At times, we wanted to export report data, you know the habit
of doing interesting pivots in Excel

*         Bug tracking shouldn't assume one repository, so this needs to
work in a federated manner

*         Could I access the reports and not require yet another
username/password and instead consume enterprise identity

*         I really hate having to install an application desktop by
desktop and would rather incorporate this into a desktop build. Some
vendors license tracking became an impediment

*         Does it make sense for every project that uses Spring to scan
Spring or could I somehow "include" other scan results

From: wasc-satec-bounces at lists.webappsec.org
[mailto:wasc-satec-bounces at lists.webappsec.org] On Behalf Of Sherif
Koussa
Sent: Monday, January 09, 2012 4:40 PM
To: wasc-satec at lists.webappsec.org
Subject: [WASC-SATEC] Phase II: Are you an author or reviewer?

Hi All,

So we have been working for about 4-5 months now, trying to figure out
what matters most to software companies which may be trying to acquire a
Static Code Analysis tool. I think we have a very good set of criteria,
which were vetted several times, these were captured in the form of
categories and sub-categories (headers and sub-headers mainly) in the
Wiki page here
http://projects.webappsec.org/w/page/42093482/Static%20Analysis%20Tool%2
0Evaluation%20Criteria%20Working.

So now we got the categories and sub-categories locked down, we need to
start the next phase, which is about fleshing the categories and
sub-categories out and explain what each of them means. If you need an
example, please visit the WASSEC project
http://projects.webappsec.org/w/page/13246986/Web%20Application%20Securi
ty%20Scanner%20Evaluation%20Criteria to get a sense of how the finished
criteria would look like.

Now, we need authors who are going to actually start fleshing out
(write\explain) the categories and sub-categories and we need reviewers
who will review the authors' work and suggest modifications.

if you have cycles in the next two month, please reply to this email
with either "Author" or "Reviewer" to indicate the role you would like
to play in the next period.

Ideally, we would like to keep the workload per contributor to less than
2 hours a week for the next two months. We should be able to achieve
this considering that we have almost 40 people on this mailing list.

Please let me know if you had any comments, suggestions or questions.

Regards,
Sherif
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.webappsec.org/pipermail/wasc-satec_lists.webappsec.org/att
achments/20120109/26a144e4/attachment-0001.html>

------------------------------

Message: 3
Date: Mon, 9 Jan 2012 21:16:04 -0500
From: Sherif Koussa <sherif.koussa at gmail.com>
To: "McGovern, James" <james.mcgovern at hp.com>
Cc: "wasc-satec at lists.webappsec.org" <wasc-satec at lists.webappsec.org>
Subject: Re: [WASC-SATEC] Phase II: Are you an author or reviewer?
Message-ID:
	
<CA+4St2CLw9UwRM92N4SBspVAHzDnHWXed80vmggNjzS-cmTc=A at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

Hi James,

Thanks for your feedback, please find my replies below

Regards,
Sherif

On Mon, Jan 9, 2012 at 5:04 PM, McGovern, James
<james.mcgovern at hp.com>wrote:

> Count me in as a reviewer. In the meantime, I have the following
> questions/thoughts:****
>
> ** **
>
> **?         **How should we separate out static analysis in terms of
> tools that do security vs the ones that do quality? They do produce 
> different metrics, etc
>
Sherif: This project is focused on security tools only, now, thinking
about this, I am not sure if we reflected this fact enough in our
documentation efforts so far though

> ****
>
> **?         **When I was at The Hartford, we had a big focus on
> reporting. This included an understanding not just of the code 
> characteristics, but departments, divisions and developers who wrote 
> the best vs worst, etc
>
Sherif:  Reporting is indeed a big chunk of a tool's value, I am not
sure we should direct companies to pay too too much attention to it
though. The
4 sub-categories that exist right now under reporting covers more than
95%, I would imagine, of the reporting needs of companies, there is a
risk of adding more direction under reporting, the risk is that the
criteria are flat, so something like 3.5 Support for editing core rules,
would be as important as any other criteria in the document, there is no
weight associated to each criteria, at least for the current version we
are working.

> ****
>
> **?         **We also wanted a richer classification that just
grouping
> of ?projects? For example, if ten applications used Struts then we 
> wanted to understand cross-cutting concerns.
>
Sherif:  I am not following, can you elaborate?

> ****
>
> **?         **We also cared about integration. For example, could we
> prevent Cognizant developers from seeing how suboptimal the results 
> were from code written by BLANK
>
Sherif: that's indeed an interesting point. So you have an application,
written by multiple 3rd party software vendors, you scan the code, would
there be a way to show each vendor the findings of their own code and
not the code written by other vendors?

> ****
>
> **?         **At times, we wanted to export report data, you know the
> habit of doing interesting pivots in Excel
>
Sherif: One thing holding the SCA industry right now is porting results
from one tool to the other, or agreeing on a certain format to export
findings. But none of the SCA tools have this right now, not sure
whether there would be a value of adding it as a criteria if none
supports it.

> ****
>
> **?         **Bug tracking shouldn?t assume one repository, so this
needs
> to work in a federated manner
>
Sherif: I see your point, how would you change the current sub-category
though?

> ****
>
> **?         **Could I access the reports and not require yet another
> username/password and instead consume enterprise identity
>
Sherif: I am not sure, that would be in our criteria though. I would
imagine another company wanting to restrict access to the reports.

> ****
>
> **?         **I really hate having to install an application desktop
by
> desktop and would rather incorporate this into a desktop build. Some 
> vendors license tracking became an impediment
>
Sherif: Licensing is indeed an important issue. The main two players in
this industry has changed their licensing scheme several times during
the last 12 months, so I am not sure this is something we should dive
into, thoughts?

> ****
>
> **?         **Does it make sense for every project that uses Spring to
> scan Spring or could I somehow ?include? other scan results
>
Sherif: that's an interesting point. But what is the value of including
other scan results? I am just thinking out loud here. It would be really
useful for per LOC licensing schemes, but most of the vendors have
ditched LOC licensing, so this is not a driver anymore. Saving time is
probably not a big concern. Would you see any other benefits for this?

> ****
>
> ** **
>
> *From:* wasc-satec-bounces at lists.webappsec.org [mailto:
> wasc-satec-bounces at lists.webappsec.org] *On Behalf Of *Sherif Koussa
> *Sent:* Monday, January 09, 2012 4:40 PM
>
> *To:* wasc-satec at lists.webappsec.org
> *Subject:* [WASC-SATEC] Phase II: Are you an author or reviewer?****
>
> ** **
>
> Hi All,****
>
> ** **
>
> So we have been working for about 4-5 months now, trying to figure out

> what matters most to software companies which may be trying to acquire

> a Static Code Analysis tool. I think we have a very good set of 
> criteria, which were vetted several times, these were captured in the 
> form of categories and sub-categories (headers and sub-headers mainly)

> in the Wiki page here 
> http://projects.webappsec.org/w/page/42093482/Static%20Analysis%20Tool
> %20Evaluation%20Criteria%20Working
> . ****
>
> ** **
>
> So now we got the categories and sub-categories locked down, we need 
> to start the next phase, which is about fleshing the categories and 
> sub-categories out and explain what each of them means. If you need an

> example, please visit the WASSEC project 
> http://projects.webappsec.org/w/page/13246986/Web%20Application%20Secu
> rity%20Scanner%20Evaluation%20Criteria to get a sense of how the 
> finished criteria would look like.****
>
> ** **
>
> Now, we need authors who are going to actually start fleshing out
> (write\explain) the categories and sub-categories and we need 
> reviewers who will review the authors' work and suggest 
> modifications.****
>
> ** **
>
> *if you have cycles in the next two month, please reply to this email 
> with either "Author" or "Reviewer" to indicate the role you would like

> to play in the next period.*****
>
> ** **
>
> Ideally, we would like to keep the workload per contributor to less 
> than 2 hours a week for the next two months. We should be able to 
> achieve this considering that we have almost 40 people on this mailing

> list.****
>
> ** **
>
> Please let me know if you had any comments, suggestions or 
> questions.****
>
> ** **
>
> Regards,****
>
> Sherif****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.webappsec.org/pipermail/wasc-satec_lists.webappsec.org/att
achments/20120109/aaea0964/attachment.html>

------------------------------

_______________________________________________
wasc-satec mailing list
wasc-satec at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.o
rg


End of wasc-satec Digest, Vol 8, Issue 1
****************************************




More information about the wasc-satec mailing list