Short question here: where is the pricing in the categories or sub-categories? May be it is not an important part related to the quality of a tool and that's the reason?

Benoit, Great question, I would like to hear what everybody would have to say first on this one. Regards, Sherif On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > Short question here: where is the pricing in the categories or > sub-categories? > > May be it is not an important part related to the quality of a tool > and that's the reason? > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >

Here is some ideas for this category, if it is relevant for you. I personally think that pricing is an important factor to consider, especially for the management. Here is a more complete proposition: - Pricing / acquisition - Cost of acquisition and maintenance - Vendor can provide TCO based on experience (Total cost of ownership) - Availability of a demo or a lab for hands-on testing (pre-order) - Perpetual license or annual subscription - Contract including consulting support on-site for the setup and tuning part - Helpdesk support included in pricing - No directly related, but system requirements that could add cost to the solution (server for reporting, hardware requirement for developers, etc.) On Wed, Aug 10, 2011 at 8:20 PM, Sherif Koussa <sherif.koussa@gmail.com> wrote: > Benoit, > > Great question, I would like to hear what everybody would have to say first > on this one. > > Regards, > Sherif > > On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: >> >> Short question here: where is the pricing in the categories or >> sub-categories? >> >> May be it is not an important part related to the quality of a tool >> and that's the reason? >> >> _______________________________________________ >> wasc-satec mailing list >> wasc-satec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >

We need to be careful to keep this a technical criteria and not be product specific (this after all isn't a bake off between products). For me, I don't think pricing should be part of the criteria but would be open to listen to alternative views. - Robert On Wed, 10 Aug 2011, Sherif Koussa wrote: > Benoit, > > Great question, I would like to hear what everybody would have to say first > on this one. > > Regards, > Sherif > > On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > >> Short question here: where is the pricing in the categories or >> sub-categories? >> >> May be it is not an important part related to the quality of a tool >> and that's the reason? >> >> _______________________________________________ >> wasc-satec mailing list >> wasc-satec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> >

I agree with Robert. alen -----Original Message----- From: wasc-satec-bounces@lists.webappsec.org [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A. Sent: August-10-11 9:58 PM To: Sherif Koussa Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org Subject: Re: [WASC-SATEC] A thread for questions before voting? We need to be careful to keep this a technical criteria and not be product specific (this after all isn't a bake off between products). For me, I don't think pricing should be part of the criteria but would be open to listen to alternative views. - Robert On Wed, 10 Aug 2011, Sherif Koussa wrote: > Benoit, > > Great question, I would like to hear what everybody would have to say first > on this one. > > Regards, > Sherif > > On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > >> Short question here: where is the pricing in the categories or >> sub-categories? >> >> May be it is not an important part related to the quality of a tool >> and that's the reason? >> >> _______________________________________________ >> wasc-satec mailing list >> wasc-satec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> > _______________________________________________ wasc-satec mailing list wasc-satec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Then can I propose that the scope should be clarified as technical, because actually it is more generic (no mention about technical). So organization can use the satec and then cross match with their homemade non technical criteria to take a decision. http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria On Wednesday, August 10, 2011, Alen Zukich <alen.zukich@klocwork.com> wrote: > I agree with Robert. > > alen > > -----Original Message----- > From: wasc-satec-bounces@lists.webappsec.org [mailto: wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A. > Sent: August-10-11 9:58 PM > To: Sherif Koussa > Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org > Subject: Re: [WASC-SATEC] A thread for questions before voting? > > We need to be careful to keep this a technical criteria and not be product > specific (this after all isn't a bake off between products). > > For me, I don't think pricing should be part of the criteria but would be > open to listen to alternative views. > > - Robert > > > On Wed, 10 Aug 2011, Sherif Koussa wrote: > >> Benoit, >> >> Great question, I would like to hear what everybody would have to say first >> on this one. >> >> Regards, >> Sherif >> >> On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: >> >>> Short question here: where is the pricing in the categories or >>> sub-categories? >>> >>> May be it is not an important part related to the quality of a tool >>> and that's the reason? >>> >>> _______________________________________________ >>> wasc-satec mailing list >>> wasc-satec@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >>> >> > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >

Maybe pricing is an important aspect of the decision making, but I don't think it should be part of the criteria. I will alter the scope to indicate the technical focus. Regards, Sherif On Thu, Aug 11, 2011 at 6:49 AM, <benoit.guerette@owasp.org> wrote: > Then can I propose that the scope should be clarified as technical, because > actually it is more generic (no mention about technical). > > So organization can use the satec and then cross match with their homemade > non technical criteria to take a decision. > > > http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria > > > On Wednesday, August 10, 2011, Alen Zukich <alen.zukich@klocwork.com> > wrote: > > I agree with Robert. > > > > alen > > > > -----Original Message----- > > From: wasc-satec-bounces@lists.webappsec.org [mailto: > wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A. > > Sent: August-10-11 9:58 PM > > To: Sherif Koussa > > Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org > > Subject: Re: [WASC-SATEC] A thread for questions before voting? > > > > We need to be careful to keep this a technical criteria and not be > product > > specific (this after all isn't a bake off between products). > > > > For me, I don't think pricing should be part of the criteria but would be > > open to listen to alternative views. > > > > - Robert > > > > > > On Wed, 10 Aug 2011, Sherif Koussa wrote: > > > >> Benoit, > >> > >> Great question, I would like to hear what everybody would have to say > first > >> on this one. > >> > >> Regards, > >> Sherif > >> > >> On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > >> > >>> Short question here: where is the pricing in the categories or > >>> sub-categories? > >>> > >>> May be it is not an important part related to the quality of a tool > >>> and that's the reason? > >>> > >>> _______________________________________________ > >>> wasc-satec mailing list > >>> wasc-satec@lists.webappsec.org > >>> > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >>> > >> > > > > _______________________________________________ > > wasc-satec mailing list > > wasc-satec@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > > > _______________________________________________ > > wasc-satec mailing list > > wasc-satec@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > >

Next question: Are we limited to 10 sections? I agree on all current 10, but in section "3. Scan Coverage and Accuracy" I believe that sub-category "Coverage of Industry Standard Vulnerability Categories" should be expanded as a category. I would be specific and interested as a future customer about what kind of verifications the tool cover, as it is a very important subject. It is like the Annex A of the NIST document. Thanks On Thu, Aug 11, 2011 at 8:54 AM, Sherif Koussa <sherif.koussa@gmail.com> wrote: > Maybe pricing is an important aspect of the decision making, but I don't > think it should be part of the criteria. I will alter the scope to indicate > the technical focus. > > Regards, > Sherif > > On Thu, Aug 11, 2011 at 6:49 AM, <benoit.guerette@owasp.org> wrote: >> >> Then can I propose that the scope should be clarified as technical, >> because actually it is more generic (no mention about technical). >> >> So organization can use the satec and then cross match with their homemade >> non technical criteria to take a decision. >> >> >> http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria >> >> On Wednesday, August 10, 2011, Alen Zukich <alen.zukich@klocwork.com> >> wrote: >> > I agree with Robert. >> > >> > alen >> > >> > -----Original Message----- >> > From: wasc-satec-bounces@lists.webappsec.org >> > [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A. >> > Sent: August-10-11 9:58 PM >> > To: Sherif Koussa >> > Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org >> > Subject: Re: [WASC-SATEC] A thread for questions before voting? >> > >> > We need to be careful to keep this a technical criteria and not be >> > product >> > specific (this after all isn't a bake off between products). >> > >> > For me, I don't think pricing should be part of the criteria but would >> > be >> > open to listen to alternative views. >> > >> > - Robert >> > >> > >> > On Wed, 10 Aug 2011, Sherif Koussa wrote: >> > >> >> Benoit, >> >> >> >> Great question, I would like to hear what everybody would have to say >> >> first >> >> on this one. >> >> >> >> Regards, >> >> Sherif >> >> >> >> On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: >> >> >> >>> Short question here: where is the pricing in the categories or >> >>> sub-categories? >> >>> >> >>> May be it is not an important part related to the quality of a tool >> >>> and that's the reason? >> >>> >> >>> _______________________________________________ >> >>> wasc-satec mailing list >> >>> wasc-satec@lists.webappsec.org >> >>> >> >>> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> >>> >> >> >> > >> > _______________________________________________ >> > wasc-satec mailing list >> > wasc-satec@lists.webappsec.org >> > >> > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> > >> > _______________________________________________ >> > wasc-satec mailing list >> > wasc-satec@lists.webappsec.org >> > >> > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> > > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >

We are not limited to 10 sections only, we can definitely add\remove as we wish. "would be specific and interested as a future customer about what kind of verifications the tool cover, as it is a very important subject. It is like the Annex A of the NIST document." Do you mean things like OWASP Top 10, SANS 25...etc? Regards, Sherif On Thu, Aug 11, 2011 at 8:30 PM, <benoit.guerette@owasp.org> wrote: > Next question: > > Are we limited to 10 sections? I agree on all current 10, but in > section "3. Scan Coverage and Accuracy" I believe that sub-category > "Coverage of Industry Standard Vulnerability Categories" should be > expanded as a category. > > I would be specific and interested as a future customer about what > kind of verifications the tool cover, as it is a very important > subject. It is like the Annex A of the NIST document. > > Thanks > > On Thu, Aug 11, 2011 at 8:54 AM, Sherif Koussa <sherif.koussa@gmail.com> > wrote: > > Maybe pricing is an important aspect of the decision making, but I don't > > think it should be part of the criteria. I will alter the scope to > indicate > > the technical focus. > > > > Regards, > > Sherif > > > > On Thu, Aug 11, 2011 at 6:49 AM, <benoit.guerette@owasp.org> wrote: > >> > >> Then can I propose that the scope should be clarified as technical, > >> because actually it is more generic (no mention about technical). > >> > >> So organization can use the satec and then cross match with their > homemade > >> non technical criteria to take a decision. > >> > >> > >> > http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria > >> > >> On Wednesday, August 10, 2011, Alen Zukich <alen.zukich@klocwork.com> > >> wrote: > >> > I agree with Robert. > >> > > >> > alen > >> > > >> > -----Original Message----- > >> > From: wasc-satec-bounces@lists.webappsec.org > >> > [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert > A. > >> > Sent: August-10-11 9:58 PM > >> > To: Sherif Koussa > >> > Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org > >> > Subject: Re: [WASC-SATEC] A thread for questions before voting? > >> > > >> > We need to be careful to keep this a technical criteria and not be > >> > product > >> > specific (this after all isn't a bake off between products). > >> > > >> > For me, I don't think pricing should be part of the criteria but would > >> > be > >> > open to listen to alternative views. > >> > > >> > - Robert > >> > > >> > > >> > On Wed, 10 Aug 2011, Sherif Koussa wrote: > >> > > >> >> Benoit, > >> >> > >> >> Great question, I would like to hear what everybody would have to say > >> >> first > >> >> on this one. > >> >> > >> >> Regards, > >> >> Sherif > >> >> > >> >> On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > >> >> > >> >>> Short question here: where is the pricing in the categories or > >> >>> sub-categories? > >> >>> > >> >>> May be it is not an important part related to the quality of a tool > >> >>> and that's the reason? > >> >>> > >> >>> _______________________________________________ > >> >>> wasc-satec mailing list > >> >>> wasc-satec@lists.webappsec.org > >> >>> > >> >>> > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >> >>> > >> >> > >> > > >> > _______________________________________________ > >> > wasc-satec mailing list > >> > wasc-satec@lists.webappsec.org > >> > > >> > > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >> > > >> > _______________________________________________ > >> > wasc-satec mailing list > >> > wasc-satec@lists.webappsec.org > >> > > >> > > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >> > > > > > _______________________________________________ > > wasc-satec mailing list > > wasc-satec@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > > > >

Sorry I was not clear enough. If I was in the process to acquire a tool, I would ask very specific questions to the vendors about what they cover in the Top Ten or SANS 25 as examples. In my mind, a generic item with so many criteria inside (xss, csrf, sqli, etc.) need to be covered in details, as it is the goal of the tool to trap them -> we should be able to compare the tools based on multiple criterias in that specific item. On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa <sherif.koussa@gmail.com> wrote: > We are not limited to 10 sections only, we can definitely add\remove as we > wish. > > "would be specific and interested as a future customer about what > kind of verifications the tool cover, as it is a very important > subject. It is like the Annex A of the NIST document." > > Do you mean things like OWASP Top 10, SANS 25...etc? > > Regards, > Sherif >