Penetration Testing
WASC Announcement: Static Analysis Technologies Evaluation Criteria Published May 10 2013 06:25PM
announcements webappsec org (1 replies)
RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published May 16 2013 04:30PM
Debasis Mohanty (dm mailinglists gmail com)
Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the public. The reason was,
I wanted to make it a part of one of my secure SDLC initiative called
(OSFSS) - which got delayed for several reasons.
Now since the cat is out, here is the SCA Pilot QFD . The
document is not complete yet and need to be updated. But the document does
cover various parameters based on which an effective pilot could be done.


-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of announcements (at) webappsec (dot) org [email concealed]
Sent: 10 May 2013 23:56
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: WASC Announcement: Static Analysis Technologies Evaluation Criteria

The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a static
code analysis technology that is intended to be used during source-code
driven security programs. This document provides a comprehensive list of
criteria that should be considered during the evaluation process. WASC
Static Analysis Technologies Evaluation Criteria


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus