[Owasp-leaders] HP NEWS: Briefing on the First Real-time Application Security Analysis Solution

Jim Manico jim.manico at owasp.org
Thu Apr 28 16:24:44 EDT 2011


Dre, 

I actually think those are fair and good questions.

- Jim

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andre Gironda
Sent: Thursday, April 28, 2011 10:21 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] HP NEWS: Briefing on the First Real-time
Application Security Analysis Solution

On Thu, Apr 28, 2011 at 12:46 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Can anyone help me come up with **tough** questions to ask HP for an OWASP
> Podcast? Conversation with HP PR below..

What, you mean besides, "Why pay for something that costs easily half
of a million dollars for a DAST-only solution when I can get it for
free, better, using w3af emailReport, Arachni webui, or Burp Suite Pro
in headless mode with sodapop.sh ?"

Or more of the tune of "How did Cigital figure out how to deal with
source code and code patterns that have multiple levels of indirection
in their ESP solution, but Fortify can't figure out how to get basic
Spring DI (or any other DI enabled framework) entry points mapped to
sources, let alone link those sources to sinks in a forward or
backwards tracing direction?"

Or how about "Why doesn't Fortify SCA provide lost sink results like
Appscan Source Edition does?"

I would start with those, and move on to some more spiteful questions
later in the interview.

-Andre
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list