[Owasp-leaders] HP NEWS: Briefing on the First Real-time Application Security Analysis Solution

Andre Gironda andreg at gmail.com
Thu Apr 28 16:21:03 EDT 2011

On Thu, Apr 28, 2011 at 12:46 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Can anyone help me come up with **tough** questions to ask HP for an OWASP
> Podcast? Conversation with HP PR below….

What, you mean besides, "Why pay for something that costs easily half
of a million dollars for a DAST-only solution when I can get it for
free, better, using w3af emailReport, Arachni webui, or Burp Suite Pro
in headless mode with sodapop.sh ?"

Or more of the tune of "How did Cigital figure out how to deal with
source code and code patterns that have multiple levels of indirection
in their ESP solution, but Fortify can't figure out how to get basic
Spring DI (or any other DI enabled framework) entry points mapped to
sources, let alone link those sources to sinks in a forward or
backwards tracing direction?"

Or how about "Why doesn't Fortify SCA provide lost sink results like
Appscan Source Edition does?"

I would start with those, and move on to some more spiteful questions
later in the interview.


More information about the OWASP-Leaders mailing list