Hi, 
Guest
Pic
Sign In

wasc-satec@lists.webappsec.org

WASC Static Analysis Tool Evaluation Criteria

View all threads

My vote

OM
Owasp Montreal
Sat, Aug 13, 2011 12:52 AM

Well I totally agree with Mushtaq. Here his my vote with my opinion:

  1. Tool Setup and Installation [KEEP]
  2. Configuration and Project Setup [KEEP]
  3. Scan Coverage and Accuracy [EDIT] -> Should be splitted, coverage
    and accuracy are 2 main concerns, why joining them, this will be a
    huge section...
  4. Triage and Remediation Process [KEEP]
  5. UI Simplicity and Intuitiveness [KEEP]
  6. Product Update Quality [KEEP]
  7. Product Maturity and Scalability [KEEP]
  8. Enterprise Offerings [KEEP but I would merge it with #9 this is a
    very short section]
  9. Reporting Capabilities [KEEP]
  10. Tool Customization and Automation [KEEP]
  11. We still should add a non-technical section related to pricing,
    our guide would then be a one stop shop, no need to create another
    checklist to add non-technical stuff (every business need to think
    about pricing)

On Fri, Aug 12, 2011 at 4:13 PM, Mushtaq Ahmed
mushtaq.ahmed78@gmail.com wrote:

My vote with my two cents,

  1. Tool Setup and Installation  - KEEP

  2. Configuration and Project Setup  - KEEP

  3. Scan Coverage and Accuracy - KEEP (Falls positives and falls negatives
    need to be detailed out, Further this should be scanning the security issues
    based on the OWASP top 10, SANS 20 and well known industrial standards,
    Where would PCI requirements fall ? This section is the crux i feel, having
    sub divisions would help)

  4. Triage and Remediation Process - KEEP

  5. UI Simplicity and Intuitiveness - KEEP

  6. Product Update Quality - KEEP

  7. Product Maturity and Scalability - KEEP

  8. Enterprise Offerings - KEEP

  9. Reporting Capabilities - KEEP

  10. Tool Customization and Automation - KEEP

Support needs to be considered as well, the solution might be a open source,
freeware or might be an commercial product. In any case support would make a
lot of sense to organizations whose primary business is not development and
where security is still a concern.
Should the solution be language specific .NET, Java, etc .. what happens to
the legacy technology such as CICS, Tandem etc ..

Regards,
Mushtaq

wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Well I totally agree with Mushtaq. Here his my vote with my opinion: 1. Tool Setup and Installation [KEEP] 2. Configuration and Project Setup [KEEP] 3. Scan Coverage and Accuracy [EDIT] -> Should be splitted, coverage and accuracy are 2 main concerns, why joining them, this will be a huge section... 4. Triage and Remediation Process [KEEP] 5. UI Simplicity and Intuitiveness [KEEP] 6. Product Update Quality [KEEP] 7. Product Maturity and Scalability [KEEP] 8. Enterprise Offerings [KEEP but I would merge it with #9 this is a very short section] 9. Reporting Capabilities [KEEP] 10. Tool Customization and Automation [KEEP] 11. We still should add a non-technical section related to pricing, our guide would then be a one stop shop, no need to create another checklist to add non-technical stuff (every business need to think about pricing) On Fri, Aug 12, 2011 at 4:13 PM, Mushtaq Ahmed <mushtaq.ahmed78@gmail.com> wrote: > My vote with my two cents, > > 1. Tool Setup and Installation  - KEEP > > 2. Configuration and Project Setup  - KEEP > > 3. Scan Coverage and Accuracy - KEEP (Falls positives and falls negatives > need to be detailed out, Further this should be scanning the security issues > based on the OWASP top 10, SANS 20 and well known industrial standards, > Where would PCI requirements fall ? This section is the crux i feel, having > sub divisions would help) > > 4. Triage and Remediation Process - KEEP > > 5. UI Simplicity and Intuitiveness - KEEP > > 6. Product Update Quality - KEEP > > 7. Product Maturity and Scalability - KEEP > > 8. Enterprise Offerings - KEEP > > 9. Reporting Capabilities - KEEP > > 10. Tool Customization and Automation - KEEP > > Support needs to be considered as well, the solution might be a open source, > freeware or might be an commercial product. In any case support would make a > lot of sense to organizations whose primary business is not development and > where security is still a concern. > Should the solution be language specific .NET, Java, etc .. what happens to > the legacy technology such as CICS, Tandem etc .. > > Regards, > Mushtaq > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >
Empathy v1.0   2024 ©Harmonylists.com