[Owasp-board] Jeff soing marketing for Contrast using Benchmark

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 27 18:08:30 UTC 2015


Josh, also take the time to read the reaction of Veracode

Jeff doing marketing...

https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet

This week we’re all treated to watch this spectacle play out in the pages
of Dark Reading, loosely disguised as a discussion about a new industry
benchmark. While vendors sling arrows at each other, the benchmark itself
isn’t getting much attention and I think it would benefit us all to focus
on what’s important here: the benchmark
<https://www.owasp.org/index.php/Benchmark>.

.....

f you haven’t been following the drama, over the past few days, the general
manager of HP’s Fortify division, Jason Schmitt, and the CTO and Co-founder
of Contrast Security, Jeff Williams, have been in a tit-for-tat argument
over this question. In a post
<http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274?>
published
yesterday, Williams points to a new benchmark from OWASP as a good way to
objectively evaluate the strengths and weaknesses of different application
security tools.

I* have a concern with the OWASP benchmark scoring as well. I don’t agree
with the scoring process where the score is true positive rate minus false
positives rate (score = TP%-FP%).  It is much more important to be able to
detect a vulnerability than to reject a false positive, to a point.  I am
going to recommend to OWASP that TP% and FP% be reported and **not combined
into a final score.  This way there is more information presented and
customers can make up their minds about the FP rate their risk posture and
resources can tolerate.  For instance if a test has a TP% of 65% and FP%
around 35%, instead of just comparing a score of 30 to compare test results
look at both numbers.  That paints a more realistic picture of how a
testing technology will perform.*

On Fri, Nov 27, 2015 at 1:59 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Josh
>
> Inform yourself better.
>
> Is now Jeff being forced to write articles in DarkReading about benchmark
> and Contrast?
>
>
> http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274
>
> [image: Inline image 2]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151127/4a44c1e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-11-27 13.55.44.png
Type: image/png
Size: 110730 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151127/4a44c1e2/attachment-0001.png>


More information about the Owasp-board mailing list