This actually was supposed to be a sub-category under 3. Scan Coverage and Accuracy Are you looking to make this its own category? Regards, Sherif On Thu, Aug 11, 2011 at 9:01 PM, <benoit.guerette@owasp.org> wrote: > Sorry I was not clear enough. > > If I was in the process to acquire a tool, I would ask very specific > questions to the vendors about what they cover in the Top Ten or SANS > 25 as examples. > > In my mind, a generic item with so many criteria inside (xss, csrf, > sqli, etc.) need to be covered in details, as it is the goal of the > tool to trap them -> we should be able to compare the tools based on > multiple criterias in that specific item. > > > > > On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa <sherif.koussa@gmail.com> > wrote: > > We are not limited to 10 sections only, we can definitely add\remove as > we > > wish. > > > > "would be specific and interested as a future customer about what > > kind of verifications the tool cover, as it is a very important > > subject. It is like the Annex A of the NIST document." > > > > Do you mean things like OWASP Top 10, SANS 25...etc? > > > > Regards, > > Sherif > > >

Regarding having the pricing (licensing model, support etc), I would suggest it to be part of the guideline, may be a non technical section. In my opinion, the guideline could be used a template (simple spreadsheet) for organizations looking for static code analysis tool. Evaluators could mark (yes/no) on the relevant topics while comparing various tools and then recommend a suitable tool to their management. -Srikanth On Wed, Aug 10, 2011 at 8:56 PM, Alen Zukich <alen.zukich@klocwork.com>wrote: > I agree with Robert. > > alen > > -----Original Message----- > From: wasc-satec-bounces@lists.webappsec.org [mailto: > wasc-satec-bounces@lists.webappsec.org] On Behalf Of Robert A. > Sent: August-10-11 9:58 PM > To: Sherif Koussa > Cc: wasc-satec@lists.webappsec.org; benoit.guerette@owasp.org > Subject: Re: [WASC-SATEC] A thread for questions before voting? > > We need to be careful to keep this a technical criteria and not be product > specific (this after all isn't a bake off between products). > > For me, I don't think pricing should be part of the criteria but would be > open to listen to alternative views. > > - Robert > > > On Wed, 10 Aug 2011, Sherif Koussa wrote: > > > Benoit, > > > > Great question, I would like to hear what everybody would have to say > first > > on this one. > > > > Regards, > > Sherif > > > > On Wed, Aug 10, 2011 at 6:28 PM, <benoit.guerette@owasp.org> wrote: > > > >> Short question here: where is the pricing in the categories or > >> sub-categories? > >> > >> May be it is not an important part related to the quality of a tool > >> and that's the reason? > >> > >> _______________________________________________ > >> wasc-satec mailing list > >> wasc-satec@lists.webappsec.org > >> > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >> > > > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >

This definitely belongs to 3. Scan Coverage and Accuracy. I agree with Benoit that this category needs to be defined very well as it will allow to compare the tools based on generally accepted coverage metrics. But I wouldn't limit these criteria to be merely checklist items intended to confirm if the tool covers a particular set of vulnerabilities. I'd like to see if the tool can actually be configured so it can scan an app precisely against OWASP Top 10 or SANS 25 et al. This would provide a much more meaningful comparison capability as one could run say a "SANS 25 scan" with several tools and the compare the results. - Alec From: wasc-satec-bounces@lists.webappsec.org [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa Sent: Thursday, August 11, 2011 6:27 PM To: benoit.guerette@owasp.org Cc: wasc-satec@lists.webappsec.org Subject: Re: [WASC-SATEC] A thread for questions before voting? This actually was supposed to be a sub-category under 3. Scan Coverage and Accuracy Are you looking to make this its own category? Regards, Sherif On Thu, Aug 11, 2011 at 9:01 PM, <benoit.guerette@owasp.org<mailto:benoit.guerette@owasp.org>> wrote: Sorry I was not clear enough. If I was in the process to acquire a tool, I would ask very specific questions to the vendors about what they cover in the Top Ten or SANS 25 as examples. In my mind, a generic item with so many criteria inside (xss, csrf, sqli, etc.) need to be covered in details, as it is the goal of the tool to trap them -> we should be able to compare the tools based on multiple criterias in that specific item. On Thu, Aug 11, 2011 at 8:49 PM, Sherif Koussa <sherif.koussa@gmail.com<mailto:sherif.koussa@gmail.com>> wrote: > We are not limited to 10 sections only, we can definitely add\remove as we > wish. > > "would be specific and interested as a future customer about what > kind of verifications the tool cover, as it is a very important > subject. It is like the Annex A of the NIST document." > > Do you mean things like OWASP Top 10, SANS 25...etc? > > Regards, > Sherif >