I think Ory was just looking for clarification on your 'complaints'. As he
mentioned projects are open to all, if you don't like something then you
can stand up and 'fix' it. Please ping me offline about anything
unrelated to this project and I'll put you in touch with the right folks
to make this happen.

I think concerns over badly implemented tools, and a lack of understanding
on limitations is certainly valid and something to have in our thoughts.

With that said, we'd love to have you contribute in a constructive
manner as you have experience in this space, and can bring insight into
limitations that is extremely valuable. I'm asking that we try to stay
on topic to SAST specifically as that is the purpose of this project.

Regards,

• Robert

Why do you even join these mailing lists and project in the first place?

From:  Andre Gironda andreg@gmail.com
To:    Ory Segal/Haifa/IBM@IBMIL
Cc:    Sherif Koussa sherif.koussa@gmail.com,
wasc-satec@lists.webappsec.org
Date:  07/07/2011 07:42 PM
Subject:        Re: [WASC-SATEC] Name Change - Adding the word Standard

On Thu, Jul 7, 2011 at 9:36 AM, Ory Segal SEGALORY@il.ibm.com wrote:

I don't want to get in an argument but I think I got into many
arguments about DAST and SAST technology during the WASSEC email
discussions.

It mostly has to do with how these tools are designed and how they
work. I'm seeing increasing errors with regards to these tools over
time and certainly we all know how to break them. The fundamental
concepts are therefore also broken.

-Andre

On Thu, Jul 7, 2011 at 10:01 AM, Ory Segal SEGALORY@il.ibm.com wrote:

I just like to see quality work. Eventually someone I work with will
reference these documents and I consider this pre-planning for the
fallout.

Perhaps some of the WASC project team members don't always realize
that people can use your documents to justify all sorts of bad
decision-making actions.

We all do and your intentional derailing of the conversation into
unconstructive rants isn't helping. We have created an open forum to
discuss SAST tools and ensure that anyone who wants to participate can, and that
ALL valid concerns be taken seriously.

I'm going to ask respectfully that if you cannot participate in a
respectful, constructive manner, that you please remove yourself from
participating in this project.

Now, can we please get back to discussing this project? :)

Regards,

• Robert

Hi All,

Regarding the wording, I agree with Romain for having it as Guidelines
rather having it as Standard.

As in every project, we (as being a part of this project) have to revisit
the relevance of the document in a scheduled (timely) manner. We could set a
notification mechanism to all the group members once in a year for a review
of the documents. This could be done besides volunteer contributions.

Cheers,
Srikanth

On Thu, Jul 7, 2011 at 10:27 AM, Robert A. robert@webappsec.org wrote: