I'm just trying to get my head around where you are and what is happening next. For example: - are there plans to 'codify' these requirements? - what about running/testing this criteria on the freely available CAT.NET SAST tool from Microsoft (see the how I was able to use CAT.NET outside Visual Studio: http://blog.diniscruz.com/2012/06/running-catnet-sast-scanner-outside.html ) - what is the current level of support/engagement from SAST vendors? - what about the 'human-brain' tool, or 'require a human to drive it' tools like the O2 Platform Thanks Dinis Cruz Blog: http://diniscruz.blogspot.com Twitter: http://twitter.com/DinisCruz Web: http://www.owasp.org/index.php/O2

- are there plans to 'codify' these requirements?
- what about running/testing this criteria on the freely available
CAT.NET SAST tool from Microsoft (see the how I was able to use CAT.NET outside
Visual Studio:
http://blog.diniscruz.com/2012/06/running-catnet-sast-scanner-outside.html
)
- what is the current level of support/engagement from SAST vendors?
- what about the 'human-brain' tool, or 'require a human to drive it'
tools like the O2 Platform

Hi Dinis, So I believe the focus right now is produce a set of Criteria that actually help software organizations make better choices when choosing a SCA tool. That would be the current phase we are trying to push. It would make sense in the future to "codify" these requirements, create a bunch of test cases, etc but I don't believe this is in scope at this point. Regards, Sherif On Sat, Jan 26, 2013 at 12:12 PM, Dinis Cruz <dinis.cruz@owasp.org> wrote: > I'm just trying to get my head around where you are and what is happening > next. > > For example: > > - are there plans to 'codify' these requirements? > - what about running/testing this criteria on the freely available > CAT.NET SAST tool from Microsoft (see the how I was able to use CAT.NET outside > Visual Studio: > http://blog.diniscruz.com/2012/06/running-catnet-sast-scanner-outside.html > ) > - what is the current level of support/engagement from SAST vendors? > - what about the 'human-brain' tool, or 'require a human to drive it' > tools like the O2 Platform > > Thanks > > Dinis Cruz > > Blog: http://diniscruz.blogspot.com > Twitter: http://twitter.com/DinisCruz > Web: http://www.owasp.org/index.php/O2 > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >

Dinis, I do think there is merit for us to start a different project that provides test cases. Right now, it seems like everyone uses WebGoat for this purpose which I think is both useful in that it does try to represent common flaws and useless in that WebGoat suffers from simplicity that isn't representative of the real-world of software development. What is required to create a project that targets this purpose better? From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa Sent: Saturday, January 26, 2013 10:08 PM To: Dinis Cruz Cc: wasc-satec@lists.webappsec.org Subject: Re: [WASC-SATEC] What is the current state of affairs with this criteria? Hi Dinis, So I believe the focus right now is produce a set of Criteria that actually help software organizations make better choices when choosing a SCA tool. That would be the current phase we are trying to push. It would make sense in the future to "codify" these requirements, create a bunch of test cases, etc but I don't believe this is in scope at this point. Regards, Sherif On Sat, Jan 26, 2013 at 12:12 PM, Dinis Cruz <dinis.cruz@owasp.org<mailto:dinis.cruz@owasp.org>> wrote: I'm just trying to get my head around where you are and what is happening next. For example: * are there plans to 'codify' these requirements? * what about running/testing this criteria on the freely available CAT.NET<http://CAT.NET> SAST tool from Microsoft (see the how I was able to use CAT.NET<http://CAT.NET> outside Visual Studio: http://blog.diniscruz.com/2012/06/running-catnet-sast-scanner-outside.html) * what is the current level of support/engagement from SAST vendors? * what about the 'human-brain' tool, or 'require a human to drive it' tools like the O2 Platform Thanks Dinis Cruz Blog: http://diniscruz.blogspot.com Twitter: http://twitter.com/DinisCruz Web: http://www.owasp.org/index.php/O2 _______________________________________________ wasc-satec mailing list wasc-satec@lists.webappsec.org<mailto:wasc-satec@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Can't we do it here? The people interested are already here, so we can move on and start applying the criteria to apps like WebGoat (.Net and Java) and see how it goes Dinis Cruz On 28 Jan 2013, at 13:55, "McGovern, James" <james.mcgovern@hp.com> wrote: > Dinis, I do think there is merit for us to start a different project that provides test cases. Right now, it seems like everyone uses WebGoat for this purpose which I think is both useful in that it does try to represent common flaws and useless in that WebGoat suffers from simplicity that isn’t representative of the real-world of software development. > > What is required to create a project that targets this purpose better? > > From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa > Sent: Saturday, January 26, 2013 10:08 PM > To: Dinis Cruz > Cc: wasc-satec@lists.webappsec.org > Subject: Re: [WASC-SATEC] What is the current state of affairs with this criteria? > > Hi Dinis, > > So I believe the focus right now is produce a set of Criteria that actually help software organizations make better choices when choosing a SCA tool. That would be the current phase we are trying to push. > > It would make sense in the future to "codify" these requirements, create a bunch of test cases, etc but I don't believe this is in scope at this point. > > Regards, > Sherif > > > On Sat, Jan 26, 2013 at 12:12 PM, Dinis Cruz <dinis.cruz@owasp.org> wrote: > I'm just trying to get my head around where you are and what is happening next. > > For example: > are there plans to 'codify' these requirements? > what about running/testing this criteria on the freely available CAT.NET SAST tool from Microsoft (see the how I was able to use CAT.NET outside Visual Studio: http://blog.diniscruz.com/2012/06/running-catnet-sast-scanner-outside.html) > what is the current level of support/engagement from SAST vendors? > what about the 'human-brain' tool, or 'require a human to drive it' tools like the O2 Platform > Thanks > > Dinis Cruz > > Blog: http://diniscruz.blogspot.com > Twitter: http://twitter.com/DinisCruz > Web: http://www.owasp.org/index.php/O2 > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >