[Owasp-board] FW: Veracode and OWASP Top 10

Eoin eoin.keary at owasp.org
Tue Jun 29 09:43:09 UTC 2010


Its fair to say that the document *describes* [at a high level] Veracode's
approach to assesment of A1-A10.

So I could live with that claim as opposed to saying Veracode have a Top 10
methodology or Veracodes approach is somehow Top10 compliant.

[As a side note they dont seem to do any manual code review/manual
verification]

A7 for example (crypto) requires manual intervention in relation to
identifying what data is actually required to be encrypted. [ business
context]
Simply saying an API call to invoke DES is a weakness ony makes sense if the
actual data being encrypted requires encryption in the first place and if so
how sensitive is it.





On 28 June 2010 21:00, Jeff Williams <jeff.williams at owasp.org> wrote:

>  Board,
>
>
>
> Here’s what I received from Veracode.  I’m encouraged to see their analysis
> of their coverage and that their service involves a combination of
> techniques including manual analysis.
>
>
>
> I do have quite a few questions, not the least of which is how they stitch
> together traces that go outside the code. For example, do they treat
> everything from the database as “tainted” and accept the false alarms, or do
> they understand Hibernate and all the various mappings to really get a good
> data flow.  My suspicion is that they simply drop all of those traces.
>
>
>
> Where to go next??
>
>
>
> --Jeff
>
>
>
>
>
>
>
> *From:* Chris Wysopal [mailto:cwysopal at Veracode.com]
> *Sent:* Monday, June 28, 2010 12:46 PM
> *To:* Jeff Williams
> *Cc:* Matthew Moynahan; Bill Husted
> *Subject:* RE: Veracode and OWASP Top 10
>
>
>
>
>
> Hi Jeff,
>
>
>
> After reviewing our automated scan documentation and our manual services
> handbook I have put together a document describing how our service tests for
> the OWASP Top 10 2010.  This gives an overview of how our multiple testing
> techniques are used to test whether or not an application qualifies for the
> VerAfied High Assurance OWASP Top 10 mark.
>
>
>
>
>
> This is the level of detail I have been able to pull together from our
> current sources in a few days.  I agree that more detail would be good in
> the future and I will work towards an ASVS view of our service.
>
>
>
> Cheers,
>
> Chris
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/0c028a0d/attachment-0002.html>


More information about the Owasp-board mailing list