[Owasp-board] FW: Veracode and OWASP Top 10

Jeff Williams jeff.williams at owasp.org
Mon Jun 28 20:00:57 UTC 2010



Here's what I received from Veracode.  I'm encouraged to see their analysis
of their coverage and that their service involves a combination of
techniques including manual analysis.


I do have quite a few questions, not the least of which is how they stitch
together traces that go outside the code. For example, do they treat
everything from the database as "tainted" and accept the false alarms, or do
they understand Hibernate and all the various mappings to really get a good
data flow.  My suspicion is that they simply drop all of those traces.


Where to go next??






From: Chris Wysopal [mailto:cwysopal at Veracode.com] 
Sent: Monday, June 28, 2010 12:46 PM
To: Jeff Williams
Cc: Matthew Moynahan; Bill Husted
Subject: RE: Veracode and OWASP Top 10



Hi Jeff,


After reviewing our automated scan documentation and our manual services
handbook I have put together a document describing how our service tests for
the OWASP Top 10 2010.  This gives an overview of how our multiple testing
techniques are used to test whether or not an application qualifies for the
VerAfied High Assurance OWASP Top 10 mark.



This is the level of detail I have been able to pull together from our
current sources in a few days.  I agree that more detail would be good in
the future and I will work towards an ASVS view of our service.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100628/36963a48/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Veracode OWASP Top 10 2010 Detection.pdf
Type: application/pdf
Size: 73158 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100628/36963a48/attachment-0002.pdf>

More information about the Owasp-board mailing list