SK
Sherif Koussa
Sat, Nov 10, 2012 2:18 AM
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
*
*
- We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
- The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review
content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document
(partially here http://projects.webappsec.org/w/page/55204553/SATEC
%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise
this document more than once, in order to come up with a consistent and
homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
- I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very
important that
you send them to me.
Timeline:
We have *14 days till November 23rd *to get all feedback. On November
26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft
herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
*
*
Looking forward to your feedback.
Regards,
Sherif
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
*Summary of the last 9-10 Months:*
*
*
- We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
- The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review
content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document
(partially here http://projects.webappsec.org/w/page/55204553/SATEC
%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise
this document more than once, in order to come up with a consistent and
homogeneous document.
*Please Notice:*
- There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
- I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, *please contact* me
directly.
*What Now? Your feedback is much NEEDED*
*It is VERY important that:*
1. You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
2. Free of grammar/spelling/ambiguous issues.
3. If you were an author and you used any references, it is *very
important* that
you send them to me.
*Timeline:*
We have *14 days till November 23rd *to get *all* feedback. On November
26th we have to start rolling out the document for general availability.
*The Draft:*
You can find the draft
here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
*
*
Looking forward to your feedback.
Regards,
Sherif
MJ
McGovern, James
Sun, Nov 11, 2012 12:07 AM
Several thoughts:
-
The document can benefit in having the first section contain an overview of what exactly is static analysis, why it is beneficial, the types of problems it is useful for and when other methods may be better.
-
Credibility is increased when the names of the people who participated in the creation and review are included.
-
Can we assume that this will in its final release be published under Creative Commons?
-
7.5 Licensing Scheme: Static Code Analysis varies in their licensing schemes. Should be "static analysis tools varies in their approach to licensing"
-
Should we mention deployment models such as installed in-house vs SaaS
-
In 3.5, we should include the ability to detect issues with encryption/hashing/etc
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.
Regards,
Sherif
Several thoughts:
* The document can benefit in having the first section contain an overview of what exactly is static analysis, why it is beneficial, the types of problems it is useful for and when other methods may be better.
* Credibility is increased when the names of the people who participated in the creation and review are included.
* Can we assume that this will in its final release be published under Creative Commons?
* 7.5 Licensing Scheme: Static Code Analysis varies in their licensing schemes. Should be "static analysis tools varies in their approach to licensing"
* Should we mention deployment models such as installed in-house vs SaaS
* In 3.5, we should include the ability to detect issues with encryption/hashing/etc
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
1. You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
2. Free of grammar/spelling/ambiguous issues.
3. If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
Looking forward to your feedback.
Regards,
Sherif
SK
Sherif Koussa
Sun, Nov 11, 2012 12:29 AM
James,
Please find my replies inline.
Regards,
Sherif
On Sat, Nov 10, 2012 at 7:07 PM, McGovern, James james.mcgovern@hp.comwrote:
Several thoughts:****
**· **The document can benefit in having the first section contain
an overview of what exactly is static analysis, why it is beneficial, the
types of problems it is useful for and when other methods may be better.
Sherif: Yup, makes sense.
**· **Credibility is increased when the names of the people who
participated in the creation and review are included.
Sherif: Absolutely, I was just waiting until we are done this round of
review.
**· **Can we assume that this will in its final release be
published under Creative Commons?
Sherif: I believe WASC releases all their projects under CC.
**· ***7.5 Licensing Scheme: *Static Code Analysis varies in
their licensing schemes. Should be “static analysis tools varies in their
approach to licensing”
**· **Should we mention deployment models such as installed
in-house vs SaaS
Sherif: I feel that the SaaS tools are more than just a deployment model.
I am not sure where exactly does it fall. I almost feel like it might just
belong to an evaluation spreadsheet (if\when we do one) and then a bunch of
criteria just does not apply under the SaaS column. What do you think?
**· **In 3.5, we should include the ability to detect issues with
encryption/hashing/etc
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On
Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready**
All,****
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:****
Summary of the last 9-10 Months:****
-
We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.****
-
The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.****
-
I sent out asking for contributors who would like to author or review
content.****
-
Each author's work passed through 2-4 rounds of review.****
-
Finally, I took all the work and merged it together into one document
(partially here http://projects.
webappsec.org/w/page/55204553/SATEC%20First%20Draft) ****
-
Since, the document was authored by more than one person, I had to
revise this document more than once, in order to come up with a consistent
and homogeneous document. ****
Please Notice:****
-
There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.****
-
I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).****
-
Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.****
What Now? Your feedback is much NEEDED****
It is VERY important that:****
-
You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
-
Free of grammar/spelling/ambiguous issues.****
-
If you were an author and you used any references, it is * very
important* that you send them to me. ****
Timeline:****
We have 14 days till November 23rd to get all feedback. On November
26th we have to start rolling out the document for general availability.
**
The Draft:****
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.****
Regards,****
Sherif****
James,
Please find my replies inline.
Regards,
Sherif
On Sat, Nov 10, 2012 at 7:07 PM, McGovern, James <james.mcgovern@hp.com>wrote:
> Several thoughts:****
>
> ** **
>
> **· **The document can benefit in having the first section contain
> an overview of what exactly is static analysis, why it is beneficial, the
> types of problems it is useful for and when other methods may be better.
>
Sherif: Yup, makes sense.
> ****
>
> **· **Credibility is increased when the names of the people who
> participated in the creation and review are included.
>
Sherif: Absolutely, I was just waiting until we are done this round of
review.
> ****
>
> **· **Can we assume that this will in its final release be
> published under Creative Commons?
>
Sherif: I believe WASC releases all their projects under CC.
> ****
>
> **· ***7.5 Licensing Scheme: *Static Code Analysis varies in
> their licensing schemes. Should be “static analysis tools varies in their
> approach to licensing”
>
Sherif: Will fix that.
> ****
>
> **· **Should we mention deployment models such as installed
> in-house vs SaaS
>
Sherif: I feel that the SaaS tools are more than just a deployment model.
I am not sure where exactly does it fall. I almost feel like it might just
belong to an evaluation spreadsheet (if\when we do one) and then a bunch of
criteria just does not apply under the SaaS column. What do you think?
> ****
>
> **· **In 3.5, we should include the ability to detect issues with
> encryption/hashing/etc
>
Sherif: Yup, absolutely.
> ****
>
> ** **
>
> *From:* wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
> Behalf Of *Sherif Koussa
> *Sent:* Friday, November 09, 2012 9:19 PM
> *To:* wasc-satec@lists.webappsec.org
> *Subject:* [WASC-SATEC] SATEC Draft is Ready****
>
> ** **
>
> All,****
>
> ** **
>
> Finally we have a draft ready. Before discussing next steps, I would like
> to summarize what has been done during the last few months:****
>
> ** **
>
> *Summary of the last 9-10 Months:*****
>
> ** **
>
> - We agreed as a community on a set of categories and sub-categories that
> represent the most important aspects of choosing a static code analysis
> tool.****
>
> - The most essential lesson we learned during that phase is that we should
> stay away from "relative" and "qualitative" criteria (e.g. number false
> positive, CPU usage...etc) because it just does not give a deterministic
> way for evaluators to evaluate the tool.****
>
> - I sent out asking for contributors who would like to author or review
> content.****
>
> - Each author's work passed through 2-4 rounds of review.****
>
> - Finally, I took all the work and merged it together into one document
> (partially here http://projects.
> webappsec.org/w/page/55204553/SATEC%20First%20Draft) ****
>
> - Since, the document was authored by more than one person, I had to
> revise this document more than once, in order to come up with a consistent
> and homogeneous document. ****
>
> ** **
>
> *Please Notice:*****
>
> - There were some areas where I had to trim down because they were too
> detailed while there were other areas that I had to flesh out a bit since
> they were too thin.****
>
> - I had to merge a couple of criteria because after merging the whole
> document, they didn't stand up as a category or a sub-category on their own
> (e.g. Mobile Frameworks).****
>
> - Most of the changes were done so that the document would look consistent
> and homogeneous as a whole. If you wrote or reviewed a criteria and you
> think it is totally different than what it is today, *please contact* me
> directly.****
>
> ** **
>
> *What Now? Your feedback is much NEEDED*****
>
> *It is VERY important that:*****
>
> 1. You review the document and make sure that it is accurate/contains no
> misleading information/is not biased to a certain product
> 2. Free of grammar/spelling/ambiguous issues.****
>
> 3. If you were an author and you used any references, it is * very
> important* that you send them to me. ****
>
> ** **
>
> *Timeline:*****
>
> We have *14 days till November 23rd *to get *all* feedback. On November
> 26th we have to start rolling out the document for general availability.**
> **
>
> ** **
>
> *The Draft:*****
>
> You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
> ****
>
> ** **
>
> Looking forward to your feedback.****
>
>
> Regards,****
>
> Sherif****
>
MJ
McGovern, James
Sun, Nov 11, 2012 9:32 PM
2.2 minor: font size changes throughout doc
3.4 Scan configuration capabilities: this includes:
Search for "Ability to mark findingsas false positives, and remove them from the report"
Think we left out the ability to classify an "app" such as mission-critical, financial, internet-facing, who cares, etc. More of a user-defined taxonomy
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.
Regards,
Sherif
2.2 minor: font size changes throughout doc
3.4 Scan configuration capabilities: this includes:
Search for "Ability to mark findingsas false positives, and remove them from the report"
Think we left out the ability to classify an "app" such as mission-critical, financial, internet-facing, who cares, etc. More of a user-defined taxonomy
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
1. You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
2. Free of grammar/spelling/ambiguous issues.
3. If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
Looking forward to your feedback.
Regards,
Sherif
RG
Romain Gaucher
Mon, Nov 12, 2012 4:01 AM
Hi Sherif,
Do you have a clear statement of what the document is supposed to address.
I believe I understand what it is "general criteria to be aware of when
evaluating source code static analysis for web security", but I want to
make sure I'm the right track before submitting comments.
Also as James pointed out, the list of contributors is important to have --
even at this review stage.
Cheers,
Romain
On Fri, Nov 9, 2012 at 6:18 PM, Sherif Koussa sherif.koussa@gmail.comwrote:
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
*
*
- We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
- The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review
content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document
(partially here http://projects.webappsec.org/w/page/55204553/SATEC
%20First%20Draft)
- Since, the document was authored by more than one person, I had to
revise this document more than once, in order to come up with a consistent
and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
- I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very
important that you send them to me.
Timeline:
We have *14 days till November 23rd *to get all feedback. On November
26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
*
*
Looking forward to your feedback.
Regards,
Sherif
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Hi Sherif,
Do you have a clear statement of what the document is supposed to address.
I believe I understand what it is "general criteria to be aware of when
evaluating source code static analysis for web security", but I want to
make sure I'm the right track before submitting comments.
Also as James pointed out, the list of contributors is important to have --
even at this review stage.
Cheers,
Romain
On Fri, Nov 9, 2012 at 6:18 PM, Sherif Koussa <sherif.koussa@gmail.com>wrote:
> All,
>
> Finally we have a draft ready. Before discussing next steps, I would like
> to summarize what has been done during the last few months:
>
> *Summary of the last 9-10 Months:*
> *
> *
> - We agreed as a community on a set of categories and sub-categories that
> represent the most important aspects of choosing a static code analysis
> tool.
> - The most essential lesson we learned during that phase is that we should
> stay away from "relative" and "qualitative" criteria (e.g. number false
> positive, CPU usage...etc) because it just does not give a deterministic
> way for evaluators to evaluate the tool.
> - I sent out asking for contributors who would like to author or review
> content.
> - Each author's work passed through 2-4 rounds of review.
> - Finally, I took all the work and merged it together into one document
> (partially here http://projects.webappsec.org/w/page/55204553/SATEC
> %20First%20Draft)
> - Since, the document was authored by more than one person, I had to
> revise this document more than once, in order to come up with a consistent
> and homogeneous document.
>
> *Please Notice:*
> - There were some areas where I had to trim down because they were too
> detailed while there were other areas that I had to flesh out a bit since
> they were too thin.
> - I had to merge a couple of criteria because after merging the whole
> document, they didn't stand up as a category or a sub-category on their own
> (e.g. Mobile Frameworks).
> - Most of the changes were done so that the document would look consistent
> and homogeneous as a whole. If you wrote or reviewed a criteria and you
> think it is totally different than what it is today, *please contact* me
> directly.
>
> *What Now? Your feedback is much NEEDED*
> *It is VERY important that:*
> 1. You review the document and make sure that it is accurate/contains no
> misleading information/is not biased to a certain product
> 2. Free of grammar/spelling/ambiguous issues.
> 3. If you were an author and you used any references, it is *very
> important* that you send them to me.
>
> *Timeline:*
> We have *14 days till November 23rd *to get *all* feedback. On November
> 26th we have to start rolling out the document for general availability.
>
> *The Draft:*
> You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
> *
> *
> Looking forward to your feedback.
>
> Regards,
> Sherif
>
> _______________________________________________
> wasc-satec mailing list
> wasc-satec@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
>
>
SK
Sherif Koussa
Mon, Nov 12, 2012 3:08 PM
2.2 minor: font size changes throughout doc****
3.4 Scan configuration capabilities: this includes:
Search for “Ability to mark findingsas false positives, and remove them
from the report”****
Think we left out the ability to classify an “app” such as
mission-critical, financial, internet-facing, who cares, etc. More of a
user-defined taxonomy****
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On
Behalf Of Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready**
All,****
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:****
Summary of the last 9-10 Months:****
-
We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.****
-
The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.****
-
I sent out asking for contributors who would like to author or review
content.****
-
Each author's work passed through 2-4 rounds of review.****
-
Finally, I took all the work and merged it together into one document
(partially here http://projects.
webappsec.org/w/page/55204553/SATEC%20First%20Draft) ****
-
Since, the document was authored by more than one person, I had to
revise this document more than once, in order to come up with a consistent
and homogeneous document. ****
Please Notice:****
-
There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.****
-
I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).****
-
Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.****
What Now? Your feedback is much NEEDED****
It is VERY important that:****
-
You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
-
Free of grammar/spelling/ambiguous issues.****
-
If you were an author and you used any references, it is * very
important* that you send them to me. ****
Timeline:****
We have 14 days till November 23rd to get all feedback. On November
26th we have to start rolling out the document for general availability.
**
The Draft:****
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.****
Regards,****
Sherif****
Yup, will fix that.
On Sun, Nov 11, 2012 at 4:32 PM, McGovern, James <james.mcgovern@hp.com>wrote:
> 2.2 minor: font size changes throughout doc****
>
> *3.4 Scan configuration capabilities: this includes:*
>
> Search for “Ability to mark findingsas false positives, and remove them
> from the report”****
>
> ** **
>
> Think we left out the ability to classify an “app” such as
> mission-critical, financial, internet-facing, who cares, etc. More of a
> user-defined taxonomy****
>
> ** **
>
> * *
>
> ** **
>
> *From:* wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
> Behalf Of *Sherif Koussa
> *Sent:* Friday, November 09, 2012 9:19 PM
> *To:* wasc-satec@lists.webappsec.org
> *Subject:* [WASC-SATEC] SATEC Draft is Ready****
>
> ** **
>
> All,****
>
> ** **
>
> Finally we have a draft ready. Before discussing next steps, I would like
> to summarize what has been done during the last few months:****
>
> ** **
>
> *Summary of the last 9-10 Months:*****
>
> ** **
>
> - We agreed as a community on a set of categories and sub-categories that
> represent the most important aspects of choosing a static code analysis
> tool.****
>
> - The most essential lesson we learned during that phase is that we should
> stay away from "relative" and "qualitative" criteria (e.g. number false
> positive, CPU usage...etc) because it just does not give a deterministic
> way for evaluators to evaluate the tool.****
>
> - I sent out asking for contributors who would like to author or review
> content.****
>
> - Each author's work passed through 2-4 rounds of review.****
>
> - Finally, I took all the work and merged it together into one document
> (partially here http://projects.
> webappsec.org/w/page/55204553/SATEC%20First%20Draft) ****
>
> - Since, the document was authored by more than one person, I had to
> revise this document more than once, in order to come up with a consistent
> and homogeneous document. ****
>
> ** **
>
> *Please Notice:*****
>
> - There were some areas where I had to trim down because they were too
> detailed while there were other areas that I had to flesh out a bit since
> they were too thin.****
>
> - I had to merge a couple of criteria because after merging the whole
> document, they didn't stand up as a category or a sub-category on their own
> (e.g. Mobile Frameworks).****
>
> - Most of the changes were done so that the document would look consistent
> and homogeneous as a whole. If you wrote or reviewed a criteria and you
> think it is totally different than what it is today, *please contact* me
> directly.****
>
> ** **
>
> *What Now? Your feedback is much NEEDED*****
>
> *It is VERY important that:*****
>
> 1. You review the document and make sure that it is accurate/contains no
> misleading information/is not biased to a certain product
> 2. Free of grammar/spelling/ambiguous issues.****
>
> 3. If you were an author and you used any references, it is * very
> important* that you send them to me. ****
>
> ** **
>
> *Timeline:*****
>
> We have *14 days till November 23rd *to get *all* feedback. On November
> 26th we have to start rolling out the document for general availability.**
> **
>
> ** **
>
> *The Draft:*****
>
> You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
> ****
>
> ** **
>
> Looking forward to your feedback.****
>
>
> Regards,****
>
> Sherif****
>
SK
Sherif Koussa
Mon, Nov 12, 2012 3:08 PM
Hi Sherif,
Do you have a clear statement of what the document is supposed to address.
I believe I understand what it is "general criteria to be aware of when
evaluating source code static analysis for web security", but I want to
make sure I'm the right track before submitting comments.
Also as James pointed out, the list of contributors is important to have
-- even at this review stage.
Cheers,
Romain
On Fri, Nov 9, 2012 at 6:18 PM, Sherif Koussa sherif.koussa@gmail.comwrote:
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
*
*
- We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
- The most essential lesson we learned during that phase is that we
should stay away from "relative" and "qualitative" criteria (e.g. number
false positive, CPU usage...etc) because it just does not give a
deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review
content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document
(partially here http://projects.webappsec.org/w/page/55204553/SATEC
%20First%20Draft)
- Since, the document was authored by more than one person, I had to
revise this document more than once, in order to come up with a consistent
and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
- I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look
consistent and homogeneous as a whole. If you wrote or reviewed a criteria
and you think it is totally different than what it is today, please
contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very
important that you send them to me.
Timeline:
We have *14 days till November 23rd *to get all feedback. On November
26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
*
*
Looking forward to your feedback.
Regards,
Sherif
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Romain,
Your assumption is correct, more information here
http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria
Regards,
Sherif
On Sun, Nov 11, 2012 at 11:01 PM, Romain Gaucher <romain@webappsec.org>wrote:
> Hi Sherif,
> Do you have a clear statement of what the document is supposed to address.
> I believe I understand what it is "general criteria to be aware of when
> evaluating source code static analysis for web security", but I want to
> make sure I'm the right track before submitting comments.
>
> Also as James pointed out, the list of contributors is important to have
> -- even at this review stage.
>
> Cheers,
> Romain
>
>
>
> On Fri, Nov 9, 2012 at 6:18 PM, Sherif Koussa <sherif.koussa@gmail.com>wrote:
>
>> All,
>>
>> Finally we have a draft ready. Before discussing next steps, I would like
>> to summarize what has been done during the last few months:
>>
>> *Summary of the last 9-10 Months:*
>> *
>> *
>> - We agreed as a community on a set of categories and sub-categories that
>> represent the most important aspects of choosing a static code analysis
>> tool.
>> - The most essential lesson we learned during that phase is that we
>> should stay away from "relative" and "qualitative" criteria (e.g. number
>> false positive, CPU usage...etc) because it just does not give a
>> deterministic way for evaluators to evaluate the tool.
>> - I sent out asking for contributors who would like to author or review
>> content.
>> - Each author's work passed through 2-4 rounds of review.
>> - Finally, I took all the work and merged it together into one document
>> (partially here http://projects.webappsec.org/w/page/55204553/SATEC
>> %20First%20Draft)
>> - Since, the document was authored by more than one person, I had to
>> revise this document more than once, in order to come up with a consistent
>> and homogeneous document.
>>
>> *Please Notice:*
>> - There were some areas where I had to trim down because they were too
>> detailed while there were other areas that I had to flesh out a bit since
>> they were too thin.
>> - I had to merge a couple of criteria because after merging the whole
>> document, they didn't stand up as a category or a sub-category on their own
>> (e.g. Mobile Frameworks).
>> - Most of the changes were done so that the document would look
>> consistent and homogeneous as a whole. If you wrote or reviewed a criteria
>> and you think it is totally different than what it is today, *please
>> contact* me directly.
>>
>> *What Now? Your feedback is much NEEDED*
>> *It is VERY important that:*
>> 1. You review the document and make sure that it is accurate/contains no
>> misleading information/is not biased to a certain product
>> 2. Free of grammar/spelling/ambiguous issues.
>> 3. If you were an author and you used any references, it is *very
>> important* that you send them to me.
>>
>> *Timeline:*
>> We have *14 days till November 23rd *to get *all* feedback. On November
>> 26th we have to start rolling out the document for general availability.
>>
>> *The Draft:*
>> You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
>> *
>> *
>> Looking forward to your feedback.
>>
>> Regards,
>> Sherif
>>
>> _______________________________________________
>> wasc-satec mailing list
>> wasc-satec@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
>>
>>
>
AZ
Alen Zukich
Tue, Nov 13, 2012 4:32 AM
Still going through this but wanted to point out one thing. I noticed in a couple of spots it says either "SANS 25" or "SANS Top 20". Should it be "CWE/SANS Top 25" (http://www.sans.org/top25-software-errors/)?
Technically speaking there is a SANS Top 20 which is quite old. Just trying to understand what is meant with both references. Note: links would be nice as well.
Alen
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: November-09-12 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
- You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
- Free of grammar/spelling/ambiguous issues.
- If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.
Regards,
Sherif
Still going through this but wanted to point out one thing. I noticed in a couple of spots it says either "SANS 25" or "SANS Top 20". Should it be "CWE/SANS Top 25" (http://www.sans.org/top25-software-errors/)?
Technically speaking there is a SANS Top 20 which is quite old. Just trying to understand what is meant with both references. Note: links would be nice as well.
Alen
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: November-09-12 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
- We agreed as a community on a set of categories and sub-categories that represent the most important aspects of choosing a static code analysis tool.
- The most essential lesson we learned during that phase is that we should stay away from "relative" and "qualitative" criteria (e.g. number false positive, CPU usage...etc) because it just does not give a deterministic way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document (partially here http://projects.webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise this document more than once, in order to come up with a consistent and homogeneous document.
Please Notice:
- There were some areas where I had to trim down because they were too detailed while there were other areas that I had to flesh out a bit since they were too thin.
- I had to merge a couple of criteria because after merging the whole document, they didn't stand up as a category or a sub-category on their own (e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent and homogeneous as a whole. If you wrote or reviewed a criteria and you think it is totally different than what it is today, please contact me directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
1. You review the document and make sure that it is accurate/contains no misleading information/is not biased to a certain product
2. Free of grammar/spelling/ambiguous issues.
3. If you were an author and you used any references, it is very important that you send them to me.
Timeline:
We have 14 days till November 23rd to get all feedback. On November 26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
Looking forward to your feedback.
Regards,
Sherif
AS
Alec Shcherbakov
Tue, Nov 13, 2012 7:12 PM
Also, the font size used for the content text is too small. For consistency
and easier reading I would use the same font size as the other projects has
used before, e.g.
http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *McGovern, James
Sent: Sunday, November 11, 2012 1:33 PM
To: Sherif Koussa; wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] SATEC Draft is Ready
2.2 minor: font size changes throughout doc
3.4 Scan configuration capabilities: this includes:
Search for “Ability to mark findingsas false positives, and remove them
from the report”
Think we left out the ability to classify an “app” such as
mission-critical, financial, internet-facing, who cares, etc. More of a
user-defined taxonomy
From: wasc-satec
[mailto:wasc-satec-bounces@lists.webappsec.orgwasc-satec-bounces@lists.webappsec.org]
*On Behalf Of *Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
-
We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
-
The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
-
I sent out asking for contributors who would like to author or review
content.
-
Each author's work passed through 2-4 rounds of review.
-
Finally, I took all the work and merged it together into one document
(partially here http://projects.
webappsec.org/w/page/55204553/SATEC%20First%20Draft)
-
Since, the document was authored by more than one person, I had to revise
this document more than once, in order to come up with a consistent and
homogeneous document.
Please Notice:
-
There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
-
I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
-
Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
-
You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
-
Free of grammar/spelling/ambiguous issues.
-
If you were an author and you used any references, it is very
important that
you send them to me.
Timeline:
We have *14 days till November 23rd *to get all feedback. On November
26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft
herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.
Regards,
Sherif
Also, the font size used for the content text is too small. For consistency
and easier reading I would use the same font size as the other projects has
used before, e.g.
http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
Alec Shcherbakov
*The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.*
*From:* wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *McGovern, James
*Sent:* Sunday, November 11, 2012 1:33 PM
*To:* Sherif Koussa; wasc-satec@lists.webappsec.org
*Subject:* Re: [WASC-SATEC] SATEC Draft is Ready
2.2 minor: font size changes throughout doc
*3.4 Scan configuration capabilities: this includes:*
Search for “Ability to mark findingsas false positives, and remove them
from the report”
Think we left out the ability to classify an “app” such as
mission-critical, financial, internet-facing, who cares, etc. More of a
user-defined taxonomy
* *
*From:* wasc-satec
[mailto:wasc-satec-bounces@lists.webappsec.org<wasc-satec-bounces@lists.webappsec.org>]
*On Behalf Of *Sherif Koussa
*Sent:* Friday, November 09, 2012 9:19 PM
*To:* wasc-satec@lists.webappsec.org
*Subject:* [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
*Summary of the last 9-10 Months:*
- We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
- The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
- I sent out asking for contributors who would like to author or review
content.
- Each author's work passed through 2-4 rounds of review.
- Finally, I took all the work and merged it together into one document
(partially here http://projects.
webappsec.org/w/page/55204553/SATEC%20First%20Draft)
- Since, the document was authored by more than one person, I had to revise
this document more than once, in order to come up with a consistent and
homogeneous document.
*Please Notice:*
- There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
- I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
- Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, *please contact* me
directly.
*What Now? Your feedback is much NEEDED*
*It is VERY important that:*
1. You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
2. Free of grammar/spelling/ambiguous issues.
3. If you were an author and you used any references, it is *very
important* that
you send them to me.
*Timeline:*
We have *14 days till November 23rd *to get *all* feedback. On November
26th we have to start rolling out the document for general availability.
*The Draft:*
You can find the draft
here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
Looking forward to your feedback.
Regards,
Sherif
SK
Sherif Koussa
Thu, Nov 15, 2012 2:35 AM
Also, the font size used for the content text is too small. For
consistency and easier reading I would use the same font size as the other
projects has used before, e.g.
http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *McGovern, James
Sent: Sunday, November 11, 2012 1:33 PM
To: Sherif Koussa; wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] SATEC Draft is Ready
2.2 minor: font size changes throughout doc
3.4 Scan configuration capabilities: this includes:
Search for “Ability to mark findingsas false positives, and remove them
from the report”
Think we left out the ability to classify an “app” such as
mission-critical, financial, internet-facing, who cares, etc. More of a
user-defined taxonomy
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.orgwasc-satec-bounces@lists.webappsec.org]
*On Behalf Of *Sherif Koussa
Sent: Friday, November 09, 2012 9:19 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] SATEC Draft is Ready
All,
Finally we have a draft ready. Before discussing next steps, I would like
to summarize what has been done during the last few months:
Summary of the last 9-10 Months:
-
We agreed as a community on a set of categories and sub-categories that
represent the most important aspects of choosing a static code analysis
tool.
-
The most essential lesson we learned during that phase is that we should
stay away from "relative" and "qualitative" criteria (e.g. number false
positive, CPU usage...etc) because it just does not give a deterministic
way for evaluators to evaluate the tool.
-
I sent out asking for contributors who would like to author or review
content.
-
Each author's work passed through 2-4 rounds of review.
-
Finally, I took all the work and merged it together into one document
(partially here http://projects.
webappsec.org/w/page/55204553/SATEC%20First%20Draft)
-
Since, the document was authored by more than one person, I had to
revise this document more than once, in order to come up with a consistent
and homogeneous document.
Please Notice:
-
There were some areas where I had to trim down because they were too
detailed while there were other areas that I had to flesh out a bit since
they were too thin.
-
I had to merge a couple of criteria because after merging the whole
document, they didn't stand up as a category or a sub-category on their own
(e.g. Mobile Frameworks).
-
Most of the changes were done so that the document would look consistent
and homogeneous as a whole. If you wrote or reviewed a criteria and you
think it is totally different than what it is today, please contact me
directly.
What Now? Your feedback is much NEEDED
It is VERY important that:
-
You review the document and make sure that it is accurate/contains no
misleading information/is not biased to a certain product
-
Free of grammar/spelling/ambiguous issues.
-
If you were an author and you used any references, it is very
important that you send them to me.
Timeline:
We have *14 days till November 23rd *to get all feedback. On November
26th we have to start rolling out the document for general availability.
The Draft:
You can find the draft herehttp://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft
Looking forward to your feedback.
Regards,
Sherif
Great feedback everyone, keep it coming :)
Regards,
Sherif
On Tue, Nov 13, 2012 at 2:12 PM, Alec Shcherbakov <
alec.shcherbakov@astechconsulting.com> wrote:
> Also, the font size used for the content text is too small. For
> consistency and easier reading I would use the same font size as the other
> projects has used before, e.g.
> http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
>
>
>
>
>
>
>
> Alec Shcherbakov
>
> *The information in this email is intended for the addressee. Any other
> use of this information is unauthorized and prohibited.*
>
>
>
> *From:* wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
> Behalf Of *McGovern, James
> *Sent:* Sunday, November 11, 2012 1:33 PM
> *To:* Sherif Koussa; wasc-satec@lists.webappsec.org
> *Subject:* Re: [WASC-SATEC] SATEC Draft is Ready
>
>
>
> 2.2 minor: font size changes throughout doc
>
> *3.4 Scan configuration capabilities: this includes:*
>
> Search for “Ability to mark findingsas false positives, and remove them
> from the report”
>
>
>
> Think we left out the ability to classify an “app” such as
> mission-critical, financial, internet-facing, who cares, etc. More of a
> user-defined taxonomy
>
>
>
> * *
>
>
>
> *From:* wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org<wasc-satec-bounces@lists.webappsec.org>]
> *On Behalf Of *Sherif Koussa
> *Sent:* Friday, November 09, 2012 9:19 PM
> *To:* wasc-satec@lists.webappsec.org
> *Subject:* [WASC-SATEC] SATEC Draft is Ready
>
>
>
> All,
>
>
>
> Finally we have a draft ready. Before discussing next steps, I would like
> to summarize what has been done during the last few months:
>
>
>
> *Summary of the last 9-10 Months:*
>
>
>
> - We agreed as a community on a set of categories and sub-categories that
> represent the most important aspects of choosing a static code analysis
> tool.
>
> - The most essential lesson we learned during that phase is that we should
> stay away from "relative" and "qualitative" criteria (e.g. number false
> positive, CPU usage...etc) because it just does not give a deterministic
> way for evaluators to evaluate the tool.
>
> - I sent out asking for contributors who would like to author or review
> content.
>
> - Each author's work passed through 2-4 rounds of review.
>
> - Finally, I took all the work and merged it together into one document
> (partially here http://projects.
> webappsec.org/w/page/55204553/SATEC%20First%20Draft)
>
> - Since, the document was authored by more than one person, I had to
> revise this document more than once, in order to come up with a consistent
> and homogeneous document.
>
>
>
> *Please Notice:*
>
> - There were some areas where I had to trim down because they were too
> detailed while there were other areas that I had to flesh out a bit since
> they were too thin.
>
> - I had to merge a couple of criteria because after merging the whole
> document, they didn't stand up as a category or a sub-category on their own
> (e.g. Mobile Frameworks).
>
> - Most of the changes were done so that the document would look consistent
> and homogeneous as a whole. If you wrote or reviewed a criteria and you
> think it is totally different than what it is today, *please contact* me
> directly.
>
>
>
> *What Now? Your feedback is much NEEDED*
>
> *It is VERY important that:*
>
> 1. You review the document and make sure that it is accurate/contains no
> misleading information/is not biased to a certain product
> 2. Free of grammar/spelling/ambiguous issues.
>
> 3. If you were an author and you used any references, it is *very
> important* that you send them to me.
>
>
>
> *Timeline:*
>
> We have *14 days till November 23rd *to get *all* feedback. On November
> 26th we have to start rolling out the document for general availability.
>
>
>
> *The Draft:*
>
> You can find the draft here<http://projects.webappsec.org/w/page/60671848/SATEC%20Second%20Draft>
>
>
>
> Looking forward to your feedback.
>
>
> Regards,
>
> Sherif
>
