This actually was supposed to be a sub-category under 3. Scan Coverage and
Accuracy
Are you looking to make this its own category?
Regards,
Sherif
On Thu, Aug 11, 2011 at 9:01 PM, benoit.guerette@owasp.org wrote:
Sorry I was not clear enough.
If I was in the process to acquire a tool, I would ask very specific
questions to the vendors about what they cover in the Top Ten or SANS
25 as examples.
In my mind, a generic item with so many criteria inside (xss, csrf,
sqli, etc.) need to be covered in details, as it is the goal of the
tool to trap them -> we should be able to compare the tools based on
multiple criterias in that specific item.
On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa sherif.koussa@gmail.com
wrote:
We are not limited to 10 sections only, we can definitely add\remove as
we
wish.
"would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document."
Do you mean things like OWASP Top 10, SANS 25...etc?
Regards,
Sherif
Regarding having the pricing (licensing model, support etc), I would suggest
it to be part of the guideline, may be a non technical section. In my
opinion, the guideline could be used a template (simple spreadsheet) for
organizations looking for static code analysis tool. Evaluators could mark
(yes/no) on the relevant topics while comparing various tools and then
recommend a suitable tool to their management.
-Srikanth
On Wed, Aug 10, 2011 at 8:56 PM, Alen Zukich alen.zukich@klocwork.comwrote:
I agree with Robert.
alen
-----Original Message-----
From: wasc-satec-bounces@lists.webappsec.org [mailto:
wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A.
Sent: August-10-11 9:58 PM
To: Sherif Koussa
Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
We need to be careful to keep this a technical criteria and not be product
specific (this after all isn't a bake off between products).
For me, I don't think pricing should be part of the criteria but would be
open to listen to alternative views.
On Wed, 10 Aug 2011, Sherif Koussa wrote:
Benoit,
Great question, I would like to hear what everybody would have to say
first
Short question here: where is the pricing in the categories or
sub-categories?
May be it is not an important part related to the quality of a tool
and that's the reason?
wasc-satec mailing list
wasc-satec@lists.webappsec.org
This definitely belongs to 3. Scan Coverage and Accuracy.
I agree with Benoit that this category needs to be defined very well as it will allow to compare the tools based on generally accepted coverage metrics. But I wouldn't limit these criteria to be merely checklist items intended to confirm if the tool covers a particular set of vulnerabilities. I'd like to see if the tool can actually be configured so it can scan an app precisely against OWASP Top 10 or SANS 25 et al. This would provide a much more meaningful comparison capability as one could run say a "SANS 25 scan" with several tools and the compare the results.
From: wasc-satec-bounces@lists.webappsec.org [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Thursday, August 11, 2011 6:27 PM
To: benoit.guerette@owasp.org
Cc: wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] A thread for questions before voting?
This actually was supposed to be a sub-category under 3. Scan Coverage and Accuracy
Are you looking to make this its own category?
Regards,
Sherif
On Thu, Aug 11, 2011 at 9:01 PM, <benoit.guerette@owasp.orgmailto:benoit.guerette@owasp.org> wrote:
Sorry I was not clear enough.
If I was in the process to acquire a tool, I would ask very specific
questions to the vendors about what they cover in the Top Ten or SANS
25 as examples.
In my mind, a generic item with so many criteria inside (xss, csrf,
sqli, etc.) need to be covered in details, as it is the goal of the
tool to trap them -> we should be able to compare the tools based on
multiple criterias in that specific item.
On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa <sherif.koussa@gmail.commailto:sherif.koussa@gmail.com> wrote:
We are not limited to 10 sections only, we can definitely add\remove as we
wish.
"would be specific and interested as a future customer about what
kind of verifications the tool cover, as it is a very important
subject. It is like the Annex A of the NIST document."
Do you mean things like OWASP Top 10, SANS 25...etc?
Regards,
Sherif