Name Change - Adding the word Standard
Hi All,
I would like to welcome each and everyone of you to the project. IMHO, This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
*That being said, *I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project to
be the standard companies refer to for SATs evaluation, the word "Standard"
in my opinion position the project as so.
Thoughts?
Regards,
Sherif
The word "standard" is pretty dangerous I believe. None of the other
evaluations projects from WASC have this word, and honestly, we don't
create a standard, just guidelines.
I would just leave the "standard" for NIST et al.
Romain
On Thu, Jul 7, 2011 at 11:28 AM, Sherif Koussa sherif.koussa@gmail.com wrote:
Hi All,
I would like to welcome each and everyone of you to the project. IMHO, This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
That being said, I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project to
be the standard companies refer to for SATs evaluation, the word "Standard"
in my opinion position the project as so.
Thoughts?
Regards,
Sherif
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
On Thu, Jul 7, 2011 at 8:28 AM, Sherif Koussa sherif.koussa@gmail.com wrote:
I would like to welcome each and everyone of you to the project. IMHO, This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
What do you mean by "the market really needs to start adopting static
code analysis tools"?
In this context, who is "the market" and why do they "really need to"
do anything, let alone "start adopting static code analysis tools"?
That being said, I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project to
be the standard companies refer to for SATs evaluation, the word "Standard"
in my opinion position the project as so.
No thanks. It's an evaluation criteria and will probably have a "done
date" that will be technically inaccurate the minute WASC finishes and
publishes it.
Romain,
Good point.
Regards,
Sherif
On Thu, Jul 7, 2011 at 11:49 AM, Romain Gaucher romain@webappsec.orgwrote:
The word "standard" is pretty dangerous I believe. None of the other
evaluations projects from WASC have this word, and honestly, we don't
create a standard, just guidelines.
I would just leave the "standard" for NIST et al.
Romain
On Thu, Jul 7, 2011 at 11:28 AM, Sherif Koussa sherif.koussa@gmail.com
wrote:
Hi All,
I would like to welcome each and everyone of you to the project. IMHO,
This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
That being said, I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project
to
be the standard companies refer to for SATs evaluation, the word
"Standard"
in my opinion position the project as so.
Thoughts?
Regards,
Sherif
wasc-satec mailing list
wasc-satec@lists.webappsec.org
I agree with Romain's comments.
Regards,
On Thu, 7 Jul 2011, Sherif Koussa wrote:
Romain,
Good point.
Regards,
Sherif
On Thu, Jul 7, 2011 at 11:49 AM, Romain Gaucher romain@webappsec.orgwrote:
The word "standard" is pretty dangerous I believe. None of the other
evaluations projects from WASC have this word, and honestly, we don't
create a standard, just guidelines.
I would just leave the "standard" for NIST et al.
Romain
On Thu, Jul 7, 2011 at 11:28 AM, Sherif Koussa sherif.koussa@gmail.com
wrote:
Hi All,
I would like to welcome each and everyone of you to the project. IMHO,
This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
That being said, I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project
to
be the standard companies refer to for SATs evaluation, the word
"Standard"
in my opinion position the project as so.
Thoughts?
Regards,
Sherif
wasc-satec mailing list
wasc-satec@lists.webappsec.org
On Thu, Jul 7, 2011 at 11:50 AM, Andre Gironda andreg@gmail.com wrote:
On Thu, Jul 7, 2011 at 8:28 AM, Sherif Koussa sherif.koussa@gmail.com
wrote:
I would like to welcome each and everyone of you to the project. IMHO,
This
is ought to be the missing link the market really needs to start adopting
static code analysis tools and be able to choose the right tool for their
needs.
What do you mean by "the market really needs to start adopting static
code analysis tools"?
I deal with software organizations on a daily basis, security in general is
not there day to day
activities to start with, let alone static code analysis. When they start
looking at security, they
are bombarded with so many directions they could take, WAFs, DASTs, SASTs
and many others.
Choosing a tool to work with for them is a big thing; i.e. big investment in
time and money
I see the SATEC project as a tool to help them choose and help them also see
what other factors
that should be looked at.
In this context, who is "the market" and why do they "really need to"
do anything, let alone "start adopting static code analysis tools"?
That being said, I am proposing to add the word "Standard" to the project
name. I believe WASC is situated to position the output of this project
to
be the standard companies refer to for SATs evaluation, the word
"Standard"
in my opinion position the project as so.
No thanks. It's an evaluation criteria and will probably have a "done
date" that will be technically inaccurate the minute WASC finishes and
publishes it.
I am not sure I get you here Andre. Why wouldn't it be technically
inaccurate? The criteria among
which the tools should be evaluated shouldn't change after the project is
done unless there is a breakthrough in the
technology used in these tools or something else of that magnitude. Even
then, we can choose to alter the
criteria, no?
Regards,
Sherif
On Thu, Jul 7, 2011 at 9:12 AM, Sherif Koussa sherif.koussa@gmail.com wrote:
What do you mean by "the market really needs to start adopting static
code analysis tools"?
I deal with software organizations on a daily basis, security in general is
not there day to day
activities to start with, let alone static code analysis. When they start
looking at security, they
are bombarded with so many directions they could take, WAFs, DASTs, SASTs
and many others.
Yeah, I'd suggest "others".
Choosing a tool to work with for them is a big thing; i.e. big investment in
time and money
I see the SATEC project as a tool to help them choose and help them also see
what other factors
that should be looked at.
In this case, you are speaking to "them" as software organizations.
But organizations don't run tools, people do. Who do you see as
driving the tool, installing the tool, maintaining the tool? One
person in the organization? Multiple people? What's the workflow like?
What's the output? What's the advantages and disadvantages?
No thanks. It's an evaluation criteria and will probably have a "done
date" that will be technically inaccurate the minute WASC finishes and
publishes it.
I am not sure I get you here Andre. Why wouldn't it be technically
inaccurate? The criteria among
which the tools should be evaluated shouldn't change after the project is
done unless there is a breakthrough in the
technology used in these tools or something else of that magnitude. Even
then, we can choose to alter the
criteria, no?
If you look at the other WASC projects, they are usually of very low
quality and have not been updated to modern needs. Take the WAFEC or
WASSEC projects as direct correlation to the problem we're facing with
this project.
This is just my opinion though and obviously others have their own opinions.
Cheers,
Andre
which the tools should be evaluated shouldn't change after the project is
done unless there is a breakthrough in the
technology used in these tools or something else of that magnitude. Even
then, we can choose to alter the
criteria, no?
If you look at the other WASC projects, they are usually of very low
quality and have not been updated to modern needs. Take the WAFEC or
I'd have to agree and disagree. I'd disagree that WASC projects are of low
quality (feel free to ping me directly if you have specific concerns), but
I'd agree that some do need updating (WAFEC and WASSEC). Given that we are
discussing this new project we should hash out concerns related to it.
WASSEC projects as direct correlation to the problem we're facing with
this project.
Like any technical project it will have multiple versions and will need to
be updated, otherwise it could lag behind. I think that we're getting
ahead of ourselves at this stage talking about the next version, when we
should really be focusing on this versions goals/scope/content.
Regards,
- Robert Auger
Andre - WASSEC is still very relevant.
If it is missing contents or obsolete, why don't you update it?
-Ory
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory@il.ibm.com
From: Andre Gironda andreg@gmail.com
To: Sherif Koussa sherif.koussa@gmail.com
Cc: wasc-satec@lists.webappsec.org
Date: 07/07/2011 07:17 PM
Subject: Re: [WASC-SATEC] Name Change - Adding the word Standard
Sent by: wasc-satec-bounces@lists.webappsec.org
On Thu, Jul 7, 2011 at 9:12 AM, Sherif Koussa sherif.koussa@gmail.com
wrote:
What do you mean by "the market really needs to start adopting static
code analysis tools"?
I deal with software organizations on a daily basis, security in general
is
not there day to day
activities to start with, let alone static code analysis. When they
start
looking at security, they
are bombarded with so many directions they could take, WAFs, DASTs,
SASTs
and many others.
Yeah, I'd suggest "others".
Choosing a tool to work with for them is a big thing; i.e. big
investment in
time and money
I see the SATEC project as a tool to help them choose and help them also
see
what other factors
that should be looked at.
In this case, you are speaking to "them" as software organizations.
But organizations don't run tools, people do. Who do you see as
driving the tool, installing the tool, maintaining the tool? One
person in the organization? Multiple people? What's the workflow like?
What's the output? What's the advantages and disadvantages?
No thanks. It's an evaluation criteria and will probably have a "done
date" that will be technically inaccurate the minute WASC finishes and
publishes it.
I am not sure I get you here Andre. Why wouldn't it be technically
inaccurate? The criteria among
which the tools should be evaluated shouldn't change after the project
is
done unless there is a breakthrough in the
technology used in these tools or something else of that magnitude. Even
then, we can choose to alter the
criteria, no?
If you look at the other WASC projects, they are usually of very low
quality and have not been updated to modern needs. Take the WAFEC or
WASSEC projects as direct correlation to the problem we're facing with
this project.
This is just my opinion though and obviously others have their own
opinions.
Cheers,
Andre
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
On Thu, Jul 7, 2011 at 9:36 AM, Ory Segal SEGALORY@il.ibm.com wrote:
Andre - WASSEC is still very relevant.
If it is missing contents or obsolete, why don't you update it?
I don't want to get in an argument but I think I got into many
arguments about DAST and SAST technology during the WASSEC email
discussions.
It mostly has to do with how these tools are designed and how they
work. I'm seeing increasing errors with regards to these tools over
time and certainly we all know how to break them. The fundamental
concepts are therefore also broken.
-Andre