Short question here: where is the pricing in the categories or sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
Benoit,
Great question, I would like to hear what everybody would have to say first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Here is some ideas for this category, if it is relevant for you.
I personally think that pricing is an important factor to consider,
especially for the management.
Here is a more complete proposition:
Cost of acquisition and maintenance
Vendor can provide TCO based on experience (Total cost of ownership)
Availability of a demo or a lab for hands-on testing (pre-order)
Perpetual license or annual subscription
Contract including consulting support on-site for the setup and tuning part
Helpdesk support included in pricing
No directly related, but system requirements that could add cost to
the solution (server for reporting, hardware requirement for
developers, etc.)
On Wed, Aug 10, 2011 at 8:20 PM, Sherif Koussa sherif.koussa@gmail.com wrote:
Benoit,
Great question, I would like to hear what everybody would have to say first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
We need to be careful to keep this a technical criteria and not be product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Then can I propose that the scope should be clarified as technical, because
actually it is more generic (no mention about technical).
So organization can use the satec and then cross match with their homemade
non technical criteria to take a decision.
http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria
On Wednesday, August 10, 2011, Alen Zukich alen.zukich@klocwork.com wrote:
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org [mailto:
wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say
first
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
Maybe pricing is an important aspect of the decision making, but I don't
think it should be part of the criteria. I will alter the scope to indicate
the technical focus.
Regards,
Sherif
On Thu, Aug 11, 2011 at 6:49 AM, benoit.guerette@owasp.org wrote:
Then can I propose that the scope should be clarified as technical, because
actually it is more generic (no mention about technical).
So organization can use the satec and then cross match with their homemade
non technical criteria to take a decision.
http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria
On Wednesday, August 10, 2011, Alen Zukich alen.zukich@klocwork.com
wrote:
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org [mailto:
wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be
product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say
first
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
Next question:
Are we limited to 10 sections? I agree on all current 10, but in
section "3. Scan Coverage and Accuracy" I believe that sub-category
"Coverage of Industry Standard Vulnerability Categories" should be
expanded as a category.
I would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document.
Thanks
On Thu, Aug 11, 2011 at 8:54 AM, Sherif Koussa sherif.koussa@gmail.com wrote:
Maybe pricing is an important aspect of the decision making, but I don't
think it should be part of the criteria. I will alter the scope to indicate
the technical focus.
Regards,
Sherif
On Thu, Aug 11, 2011 at 6:49 AM, benoit.guerette@owasp.org wrote:
Then can I propose that the scope should be clarified as technical,
because actually it is more generic (no mention about technical).
So organization can use the satec and then cross match with their homemade
non technical criteria to take a decision.
http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria
On Wednesday, August 10, 2011, Alen Zukich alen.zukich@klocwork.com
wrote:
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org
[mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be
product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would
be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say
first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
We are not limited to 10 sections only, we can definitely add\remove as we
wish.
"would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document."
Do you mean things like OWASP Top 10, SANS 25...etc?
Regards,
Sherif
On Thu, Aug 11, 2011 at 8:30 PM, benoit.guerette@owasp.org wrote:
Next question:
Are we limited to 10 sections? I agree on all current 10, but in
section "3. Scan Coverage and Accuracy" I believe that sub-category
"Coverage of Industry Standard Vulnerability Categories" should be
expanded as a category.
I would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document.
Thanks
On Thu, Aug 11, 2011 at 8:54 AM, Sherif Koussa sherif.koussa@gmail.com
wrote:
Maybe pricing is an important aspect of the decision making, but I don't
think it should be part of the criteria. I will alter the scope to
indicate
the technical focus.
Regards,
Sherif
On Thu, Aug 11, 2011 at 6:49 AM, benoit.guerette@owasp.org wrote:
Then can I propose that the scope should be clarified as technical,
because actually it is more generic (no mention about technical).
So organization can use the satec and then cross match with their
homemade
non technical criteria to take a decision.
On Wednesday, August 10, 2011, Alen Zukich alen.zukich@klocwork.com
wrote:
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org
[mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert
A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be
product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would
be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say
first
on this one.
Regards,
Sherif
On Wed, Aug 10, 2011 at 6:28 PM, benoit.guerette@owasp.org wrote:
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
Sorry I was not clear enough.
If I was in the process to acquire a tool, I would ask very specific
questions to the vendors about what they cover in the Top Ten or SANS
25 as examples.
In my mind, a generic item with so many criteria inside (xss, csrf,
sqli, etc.) need to be covered in details, as it is the goal of the
tool to trap them -> we should be able to compare the tools based on
multiple criterias in that specific item.
On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa sherif.koussa@gmail.com wrote:
We are not limited to 10 sections only, we can definitely add\remove as we
wish.
"would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document."
Do you mean things like OWASP Top 10, SANS 25...etc?
Regards,
Sherif