Well I totally agree with Mushtaq. Here his my vote with my opinion:
- Tool Setup and Installation [KEEP]
- Configuration and Project Setup [KEEP]
- Scan Coverage and Accuracy [EDIT] -> Should be splitted, coverage
and accuracy are 2 main concerns, why joining them, this will be a
huge section...
- Triage and Remediation Process [KEEP]
- UI Simplicity and Intuitiveness [KEEP]
- Product Update Quality [KEEP]
- Product Maturity and Scalability [KEEP]
- Enterprise Offerings [KEEP but I would merge it with #9 this is a
very short section]
- Reporting Capabilities [KEEP]
- Tool Customization and Automation [KEEP]
- We still should add a non-technical section related to pricing,
our guide would then be a one stop shop, no need to create another
checklist to add non-technical stuff (every business need to think
about pricing)
On Fri, Aug 12, 2011 at 4:13 PM, Mushtaq Ahmed
mushtaq.ahmed78@gmail.com wrote:
My vote with my two cents,
-
Tool Setup and Installation - KEEP
-
Configuration and Project Setup - KEEP
-
Scan Coverage and Accuracy - KEEP (Falls positives and falls negatives
need to be detailed out, Further this should be scanning the security issues
based on the OWASP top 10, SANS 20 and well known industrial standards,
Where would PCI requirements fall ? This section is the crux i feel, having
sub divisions would help)
-
Triage and Remediation Process - KEEP
-
UI Simplicity and Intuitiveness - KEEP
-
Product Update Quality - KEEP
-
Product Maturity and Scalability - KEEP
-
Enterprise Offerings - KEEP
-
Reporting Capabilities - KEEP
-
Tool Customization and Automation - KEEP
Support needs to be considered as well, the solution might be a open source,
freeware or might be an commercial product. In any case support would make a
lot of sense to organizations whose primary business is not development and
where security is still a concern.
Should the solution be language specific .NET, Java, etc .. what happens to
the legacy technology such as CICS, Tandem etc ..
Regards,
Mushtaq
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Well I totally agree with Mushtaq. Here his my vote with my opinion:
1. Tool Setup and Installation [KEEP]
2. Configuration and Project Setup [KEEP]
3. Scan Coverage and Accuracy [EDIT] -> Should be splitted, coverage
and accuracy are 2 main concerns, why joining them, this will be a
huge section...
4. Triage and Remediation Process [KEEP]
5. UI Simplicity and Intuitiveness [KEEP]
6. Product Update Quality [KEEP]
7. Product Maturity and Scalability [KEEP]
8. Enterprise Offerings [KEEP but I would merge it with #9 this is a
very short section]
9. Reporting Capabilities [KEEP]
10. Tool Customization and Automation [KEEP]
11. We still should add a non-technical section related to pricing,
our guide would then be a one stop shop, no need to create another
checklist to add non-technical stuff (every business need to think
about pricing)
On Fri, Aug 12, 2011 at 4:13 PM, Mushtaq Ahmed
<mushtaq.ahmed78@gmail.com> wrote:
> My vote with my two cents,
>
> 1. Tool Setup and Installation - KEEP
>
> 2. Configuration and Project Setup - KEEP
>
> 3. Scan Coverage and Accuracy - KEEP (Falls positives and falls negatives
> need to be detailed out, Further this should be scanning the security issues
> based on the OWASP top 10, SANS 20 and well known industrial standards,
> Where would PCI requirements fall ? This section is the crux i feel, having
> sub divisions would help)
>
> 4. Triage and Remediation Process - KEEP
>
> 5. UI Simplicity and Intuitiveness - KEEP
>
> 6. Product Update Quality - KEEP
>
> 7. Product Maturity and Scalability - KEEP
>
> 8. Enterprise Offerings - KEEP
>
> 9. Reporting Capabilities - KEEP
>
> 10. Tool Customization and Automation - KEEP
>
> Support needs to be considered as well, the solution might be a open source,
> freeware or might be an commercial product. In any case support would make a
> lot of sense to organizations whose primary business is not development and
> where security is still a concern.
> Should the solution be language specific .NET, Java, etc .. what happens to
> the legacy technology such as CICS, Tandem etc ..
>
> Regards,
> Mushtaq
>
> _______________________________________________
> wasc-satec mailing list
> wasc-satec@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
>
>