[Owasp-board] Jeff soing marketing for Contrast using Benchmark

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 27 18:08:30 UTC 2015

Josh, also take the time to read the reaction of Veracode

Jeff doing marketing...


This week we’re all treated to watch this spectacle play out in the pages
of Dark Reading, loosely disguised as a discussion about a new industry
benchmark. While vendors sling arrows at each other, the benchmark itself
isn’t getting much attention and I think it would benefit us all to focus
on what’s important here: the benchmark


f you haven’t been following the drama, over the past few days, the general
manager of HP’s Fortify division, Jason Schmitt, and the CTO and Co-founder
of Contrast Security, Jeff Williams, have been in a tit-for-tat argument
over this question. In a post
yesterday, Williams points to a new benchmark from OWASP as a good way to
objectively evaluate the strengths and weaknesses of different application
security tools.

I* have a concern with the OWASP benchmark scoring as well. I don’t agree
with the scoring process where the score is true positive rate minus false
positives rate (score = TP%-FP%).  It is much more important to be able to
detect a vulnerability than to reject a false positive, to a point.  I am
going to recommend to OWASP that TP% and FP% be reported and **not combined
into a final score.  This way there is more information presented and
customers can make up their minds about the FP rate their risk posture and
resources can tolerate.  For instance if a test has a TP% of 65% and FP%
around 35%, instead of just comparing a score of 30 to compare test results
look at both numbers.  That paints a more realistic picture of how a
testing technology will perform.*

On Fri, Nov 27, 2015 at 1:59 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Josh
> Inform yourself better.
> Is now Jeff being forced to write articles in DarkReading about benchmark
> and Contrast?
> http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274
> [image: Inline image 2]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151127/4a44c1e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-11-27 13.55.44.png
Type: image/png
Size: 110730 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151127/4a44c1e2/attachment-0001.png>

More information about the Owasp-board mailing list