[Owasp-bayarea] anyone got an app sec questionnaire webapp?

Alec Shcherbakov alec.shcherbakov at astechconsulting.com
Tue Jul 31 23:56:46 UTC 2012


Simple survey format may not work if you need more than just
yes/no/fill-in types of questions. In some cases network and architecture
diagrams are necessary as well as additional documentation. Information
sensitivity is also an important factor to consider, especially when you
review an app written by a 3d party. Web app in this case would have to be
protected by reliable authentication mechanism.

Given the sensitivity of information normally requested for code reviews I
tend to think Word/Excel document appears to be a much simpler way. I'm
not saying the web app is not a feasible solution, it's just not as simple
as it appears if you really consider all related issues.



Alec Shcherbakov
AsTech Consulting


-----Original Message-----
From: owasp-bayarea-bounces at lists.owasp.org
[mailto:owasp-bayarea-bounces at lists.owasp.org] On Behalf Of Arshad Noor
Sent: Tuesday, July 31, 2012 4:28 PM
To: owasp-bayarea at lists.owasp.org
Subject: Re: [Owasp-bayarea] anyone got an app sec questionnaire webapp?

You could also use Survey Monkey's free surveys (upto 10 questions) to
qualify the application; if it deserves more questions, then you can sign
up for their service.  Would be faster than building an app for this, IMO.

Arshad Noor
StrongAuth, Inc.

On 07/31/2012 04:07 PM, travis+ml-owasp-bayarea at subspacefield.org wrote:
> So suppose you are in software security for a big organization.
>
> You have multiple apps coming in for review and need to decide which
> deserve attention, and how much, and in what areas.
>
> You'd normally have many questions you'd ask to decide how much
> attention it takes, some of which you don't need to ask, depending on
> the application - for example, a mobile app developed by third parties
> has different questions than an intranet app developed in-house.
>
> So, if you dump hundreds of questions on devs, they freak out and may
> not complete it.
>
> So in the interest of effort reduction, it seems like this could be an
> interactive, "wizard"-type questionnaire.
>
> Obviously, it could be relatively easy to implement as a web app that
> spits out a report, but isn't too intimidating for devs since it's
> interactive and smart about which questions it skips.
>
> So, is there anything like this out there?
>
> If not, is there anyone interested in doing it as an open-source
> application?  Seems like it should be pretty easy to knock out if you
> pick the right tools for the job.
>
>
>
> _______________________________________________
> Owasp-bayarea mailing list
> Owasp-bayarea at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bayarea
_______________________________________________
Owasp-bayarea mailing list
Owasp-bayarea at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bayarea


More information about the Owasp-bayarea mailing list