[Owasp-board] [Owasp-leaders] Static Analysis Vendors

Jeff Williams jeff.williams at owasp.org
Tue Feb 19 16:26:17 UTC 2008

Thinking this over.


I'm generally not crazy about starting an application security program with
tools.  But in the outsourcing context, getting code delivered that is
"Static Analysis Clean" is probably the thing that's easiest to articulate
and most likely to make a difference in the short term.


So it's a good question about how to influence CIOs.  A simple thing would
be to have an "Outsourcing Edition" of the OWASP
Secure Software Contract Annex.  Or we could create a standard that creates
some maturity levels for application security capability.


But I think the real problem is not the materials, but the "encouraging"
part.  I think the approach you subtly suggest in your message is a good
one.  We need to recruit a major firm to make application security a
priority, and the others will follow.




Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
Sent: Tuesday, February 19, 2008 10:46 AM
Cc: OWASP Board; OWASP Leaders
Subject: [Owasp-leaders] Static Analysis Vendors


If we acknowledge that more and more software is being bought and not being
built in-house, what can OWASP do to help CIOs put pressure on outsourcing
firms to purchase static analyis tools for each and every one of their


Would be curious to know which firm (e.g. Cognizant, Wipro, Accenture, TCS,
Satyam, etc) will be the first one to NOT make a customer specify that they
want it developed securely and will simply assume?

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080219/3bd11f63/attachment-0002.html>

More information about the Owasp-board mailing list