The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that should be considered during the
evaluation process.

WASC Static Analysis Technologies Evaluation Criteria
http://projects.webappsec.org/Static%20Analysis%20Technologies%20Evaluation%20Criteria

Target Audience:
The target audience of this document is the technical staff of software
organizations who are looking to automate parts of their application
security assurance programs using one or more static code analysis
technology, as well as application security professionals who are
responsible for performing application security reviews. The document will
take into consideration those who would be evaluating the technology and
those who would actually be using it.

Scope:
The purpose of this document is to develop a set of criteria that should
be taken into consideration while evaluating static code analysis tools or
services for security testing. The vendor-neutral criteria defined in this
document are selected using a consensus-driven review process comprised of
volunteer subject matter experts. Every organization is unique and has a
unique software development environment, this document aims to help
organizations achieve their application security goals through acquiring
the most suitable tool for their own unique environment. The document will
strictly stay away from evaluating or rating vendors. However, it will
focus on the most important aspects of static code analysis technologies
that would help the target audience identify the best technology for their
environment and development needs.

Contributors:

• Aaron Weaver (Pearson Education)
• Abraham Kang (HP Fortify)
• Alec Shcherbakov (AsTech Consulting)
• Alen Zukich  (Klocwork)
• Arthur Hicken (Parasoft)
• Amit Finegold (Checkmarx)
• Benoit Guerette (NorthSec)
• Chris Eng (Veracode)
• Chris Wysopal (Veracode)
• Dan Cornell (Denim Group)
• Daniel Medianero (Buguroo Offensive Security)
• Dinis Cruz (SecurityInnovation)
• Gamze Yurttutan
• Herman Stevens
• Janos Drencsan
• James McGovern (HP)
• Jean-Marc Atchison (Centauri Technologies))
• Joe Hemler (Gotham Digital Science)
• Jojo Maalouf (Hydro Ottawa)
• Laurent Levi  (Checkmarx)
• Mushtaq Ahmed (Emirates Airlines)
• Ory Segal (IBM)
• Philippe Arteau
• Sherif Koussa (Software Secured) [Project Leader]
• Srikanth Ramu (University of British Columbia)
• Romain Gaucher  (Coverity)
• Sneha  Phadke (eBay)
• Wagner Elias (Conviso)

Contact:
Participation in the Web Application Security Scanner Evaluation Criteria
project is open to all.  If you have any questions about the evaluation
criteria, please contact Sherif Koussa ( sherif dot koussa at gmail dot
com)

Regards,

• announcements () webappsec () org
  http://www.webappsec.org/
  The Web Application Security Consortium

Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the public. The reason was,
I wanted to make it a part of one of my secure SDLC initiative called
(OSFSS) - www.coffeeandsecurity.com which got delayed for several reasons.
Now since the cat is out, I have attached the one I prepared nearly 8 years
back. The document is not complete yet and if I get some time for it, I'll
try to complete it. But the document does cover various parameters based on
which an effective pilot could be done.

-d

-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of announcements@webappsec.org
Sent: 10 May 2013 23:47
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] WASC Announcement: Static Analysis Technologies
Evaluation Criteria Published

The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a static
code analysis technology that is intended to be used during source-code
driven security programs. This document provides a comprehensive list of
criteria that should be considered during the evaluation process.

WASC Static Analysis Technologies Evaluation Criteria
http://projects.webappsec.org/Static%20Analysis%20Technologies%20Evaluation%
20Criteria

Target Audience:
The target audience of this document is the technical staff of software
organizations who are looking to automate parts of their application
security assurance programs using one or more static code analysis
technology, as well as application security professionals who are
responsible for performing application security reviews. The document will
take into consideration those who would be evaluating the technology and
those who would actually be using it.

Scope:
The purpose of this document is to develop a set of criteria that should be
taken into consideration while evaluating static code analysis tools or
services for security testing. The vendor-neutral criteria defined in this
document are selected using a consensus-driven review process comprised of
volunteer subject matter experts. Every organization is unique and has a
unique software development environment, this document aims to help
organizations achieve their application security goals through acquiring the
most suitable tool for their own unique environment. The document will
strictly stay away from evaluating or rating vendors. However, it will focus
on the most important aspects of static code analysis technologies that
would help the target audience identify the best technology for their
environment and development needs.

Contributors:

• Aaron Weaver (Pearson Education)
• Abraham Kang (HP Fortify)
• Alec Shcherbakov (AsTech Consulting)
• Alen Zukich  (Klocwork)
• Arthur Hicken (Parasoft)
• Amit Finegold (Checkmarx)
• Benoit Guerette (NorthSec)
• Chris Eng (Veracode)
• Chris Wysopal (Veracode)
• Dan Cornell (Denim Group)
• Daniel Medianero (Buguroo Offensive Security)
• Dinis Cruz (SecurityInnovation)
• Gamze Yurttutan
• Herman Stevens
• Janos Drencsan
• James McGovern (HP)
• Jean-Marc Atchison (Centauri Technologies))
• Joe Hemler (Gotham Digital Science)
• Jojo Maalouf (Hydro Ottawa)
• Laurent Levi  (Checkmarx)
• Mushtaq Ahmed (Emirates Airlines)
• Ory Segal (IBM)
• Philippe Arteau
• Sherif Koussa (Software Secured) [Project Leader]
• Srikanth Ramu (University of British Columbia)
• Romain Gaucher  (Coverity)
• Sneha  Phadke (eBay)
• Wagner Elias (Conviso)

Contact:
Participation in the Web Application Security Scanner Evaluation Criteria
project is open to all.  If you have any questions about the evaluation
criteria, please contact Sherif Koussa ( sherif dot koussa at gmail dot
com)

Regards,

• announcements () webappsec () org
  http://www.webappsec.org/
  The Web Application Security Consortium

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org