All,
As you might be aware we have been collecting feedback from vendors. One of
the comments that came from the SaaS based vendors was that the document
was so biased to the desktop-based tools. One of their suggestions was to
use the word "analyzer" as an alternative to the word "tool" through out
the document.
Dinis Cruz had a different yet valid point which is: the word "tool" is
kinda more fundamental to the document since the name of the project is:
"Static Analysis *Tools *Evaluation Criteria".
That being said, I believe the SaaS based part of SCA is an important part
that should be included in the document. However, to Dinis' point, I am
proposing changing the name to:
Static Analysis Technologies Evaluation Criteria.
Benefits:
1- The word Technologies is more accurate and more inclusive.
2- Could represent a desktop-based tool or a SaaS based service
3- Enables us to still keep using the SATEC as a name.
Thoughts?
Regards,
Sherif
Some vendors provide their offering ONLY via SaaS while others provide it via both means. Is this criteria that we should consider?
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On Behalf Of Sherif Koussa
Sent: Tuesday, April 02, 2013 4:16 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Name Change
All,
As you might be aware we have been collecting feedback from vendors. One of the comments that came from the SaaS based vendors was that the document was so biased to the desktop-based tools. One of their suggestions was to use the word "analyzer" as an alternative to the word "tool" through out the document.
Dinis Cruz had a different yet valid point which is: the word "tool" is kinda more fundamental to the document since the name of the project is: "Static Analysis Tools Evaluation Criteria".
That being said, I believe the SaaS based part of SCA is an important part that should be included in the document. However, to Dinis' point, I am proposing changing the name to:
Static Analysis Technologies Evaluation Criteria.
Benefits:
1- The word Technologies is more accurate and more inclusive.
2- Could represent a desktop-based tool or a SaaS based service
3- Enables us to still keep using the SATEC as a name.
Thoughts?
Regards,
Sherif
So as far as we are concerned, we are balancing the document to include
SaaS technologies whether it comes from vendors who offer Desktop as well
or not.
Sherif
On Tue, Apr 2, 2013 at 4:21 PM, McGovern, James james.mcgovern@hp.comwrote:
Some vendors provide their offering ONLY via SaaS while others provide
it via both means. Is this criteria that we should consider?****
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] On
Behalf Of Sherif Koussa
Sent: Tuesday, April 02, 2013 4:16 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Name Change**
All,****
As you might be aware we have been collecting feedback from vendors. One
of the comments that came from the SaaS based vendors was that the document
was so biased to the desktop-based tools. One of their suggestions was to
use the word "analyzer" as an alternative to the word "tool" through out
the document. ****
Dinis Cruz had a different yet valid point which is: the word "tool" is
kinda more fundamental to the document since the name of the project is:
"Static Analysis Tools Evaluation Criteria".**
That being said, I believe the SaaS based part of SCA is an important part
that should be included in the document. However, to Dinis' point, I am
proposing changing the name to:****
Static Analysis Technologies Evaluation Criteria. ****
Benefits:****
1- The word Technologies is more accurate and more inclusive.****
2- Could represent a desktop-based tool or a SaaS based service****
3- Enables us to still keep using the SATEC as a name.****
Thoughts?****
Regards,****
Sherif****
Sound like a good choice. While “analyzer” is more generic compared to
“tool”, it is still sounds limited as it emphasizes the scanning part. It
is true that the scanning is the core task, but the tools offer much more.
I would use “technologies”.
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *Sherif Koussa
Sent: Tuesday, April 02, 2013 4:16 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Name Change
All,
As you might be aware we have been collecting feedback from vendors. One of
the comments that came from the SaaS based vendors was that the document
was so biased to the desktop-based tools. One of their suggestions was to
use the word "analyzer" as an alternative to the word "tool" through out
the document.
Dinis Cruz had a different yet valid point which is: the word "tool" is
kinda more fundamental to the document since the name of the project is:
"Static Analysis *Tools *Evaluation Criteria".
That being said, I believe the SaaS based part of SCA is an important part
that should be included in the document. However, to Dinis' point, I am
proposing changing the name to:
Static Analysis Technologies Evaluation Criteria.
Benefits:
1- The word Technologies is more accurate and more inclusive.
2- Could represent a desktop-based tool or a SaaS based service
3- Enables us to still keep using the SATEC as a name.
Thoughts?
Regards,
Sherif
Hi All,
So I have changed the name to Static Analysis Technologies Evaluation
Criteria (yet to change the name of the page)
The word "tool" will refer to desktop-based analyzers
The word "service" will refer to SaaS-based analyzers
The word "Technology" will refer to both types.
I created Section 1.1 Deployment Model (below) to explain this naming
conventions clearly to the evaluator.
*1.1 Deployment Model:
*Vendors deliver static code analysis technologies through one or both of
the following models:
- Desktop Technologies: the vendor deliver the software as package to
their users, the package is installed locally inside the user's permises on
one ore more machines.
- Software-as-a-Service Technologies: Users submit their applications'
source code or binaries to the vendor, where they get scanned and the final
results are delivered back to the users.
This document will refer to Desktop-based static code analysis
technologies as "tools" and will refer to SaaS-based static code analysis
technologies as "services". The document could use the term "technology" to
reference both desktop-based tools and SaaS-based services.
I have also changed the rest of the document to replace the word "analyzer"
to either "tools" or "services" depending on the appropriateness of the
section. e.g. for Signature Customization (where this is something that is
not currently attainable using SaaS based tools) I used the word "tool"
only but for sections that could apply to both desktop technologies or SaaS
technologies I used: "tools or services".
Please review section 1.1 and the rest of the document for proper usage of
the terms "tool", "service" and "technology"
Regards,
Sherif
On Tue, Apr 2, 2013 at 4:48 PM, Alec Shcherbakov <
alec.shcherbakov@astechconsulting.com> wrote:
Sound like a good choice. While “analyzer” is more generic compared to
“tool”, it is still sounds limited as it emphasizes the scanning part. It
is true that the scanning is the core task, but the tools offer much more.
I would use “technologies”.
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *Sherif Koussa
Sent: Tuesday, April 02, 2013 4:16 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Name Change
All,
As you might be aware we have been collecting feedback from vendors. One
of the comments that came from the SaaS based vendors was that the document
was so biased to the desktop-based tools. One of their suggestions was to
use the word "analyzer" as an alternative to the word "tool" through out
the document.
Dinis Cruz had a different yet valid point which is: the word "tool" is
kinda more fundamental to the document since the name of the project is:
"Static Analysis *Tools *Evaluation Criteria".
That being said, I believe the SaaS based part of SCA is an important part
that should be included in the document. However, to Dinis' point, I am
proposing changing the name to:
Static Analysis Technologies Evaluation Criteria.
Benefits:
1- The word Technologies is more accurate and more inclusive.
2- Could represent a desktop-based tool or a SaaS based service
3- Enables us to still keep using the SATEC as a name.
Thoughts?
Regards,
Sherif
All,
Feedback on the changes below are open till April 20th. After which, we
will start count down to document release.
Regards,
Sherif
---------- Forwarded message ----------
From: Sherif Koussa sherif.koussa@gmail.com
Date: Sat, Apr 13, 2013 at 7:56 PM
Subject: Re: [WASC-SATEC] Name Change
To: Alec Shcherbakov alec.shcherbakov@astechconsulting.com
Cc: "wasc-satec@lists.webappsec.org" wasc-satec@lists.webappsec.org
Hi All,
So I have changed the name to Static Analysis Technologies Evaluation
Criteria (yet to change the name of the page)
The word "tool" will refer to desktop-based analyzers
The word "service" will refer to SaaS-based analyzers
The word "Technology" will refer to both types.
I created Section 1.1 Deployment Model (below) to explain this naming
conventions clearly to the evaluator.
*1.1 Deployment Model:
*Vendors deliver static code analysis technologies through one or both of
the following models:
- Desktop Technologies: the vendor deliver the software as package to
their users, the package is installed locally inside the user's permises on
one ore more machines.
- Software-as-a-Service Technologies: Users submit their applications'
source code or binaries to the vendor, where they get scanned and the final
results are delivered back to the users.
This document will refer to Desktop-based static code analysis
technologies as "tools" and will refer to SaaS-based static code analysis
technologies as "services". The document could use the term "technology" to
reference both desktop-based tools and SaaS-based services.
I have also changed the rest of the document to replace the word "analyzer"
to either "tools" or "services" depending on the appropriateness of the
section. e.g. for Signature Customization (where this is something that is
not currently attainable using SaaS based tools) I used the word "tool"
only but for sections that could apply to both desktop technologies or SaaS
technologies I used: "tools or services".
Please review section 1.1 and the rest of the document for proper usage of
the terms "tool", "service" and "technology"
Regards,
Sherif
On Tue, Apr 2, 2013 at 4:48 PM, Alec Shcherbakov <
alec.shcherbakov@astechconsulting.com> wrote:
Sound like a good choice. While “analyzer” is more generic compared to
“tool”, it is still sounds limited as it emphasizes the scanning part. It
is true that the scanning is the core task, but the tools offer much more.
I would use “technologies”.
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *Sherif Koussa
Sent: Tuesday, April 02, 2013 4:16 PM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Name Change
All,
As you might be aware we have been collecting feedback from vendors. One
of the comments that came from the SaaS based vendors was that the document
was so biased to the desktop-based tools. One of their suggestions was to
use the word "analyzer" as an alternative to the word "tool" through out
the document.
Dinis Cruz had a different yet valid point which is: the word "tool" is
kinda more fundamental to the document since the name of the project is:
"Static Analysis *Tools *Evaluation Criteria".
That being said, I believe the SaaS based part of SCA is an important part
that should be included in the document. However, to Dinis' point, I am
proposing changing the name to:
Static Analysis Technologies Evaluation Criteria.
Benefits:
1- The word Technologies is more accurate and more inclusive.
2- Could represent a desktop-based tool or a SaaS based service
3- Enables us to still keep using the SATEC as a name.
Thoughts?
Regards,
Sherif