[Owasp-leaders] [Owasp-board] OWASP Benchmark project - potential conflict of interest

Dave Wichers dave.wichers at owasp.org
Fri Nov 27 21:54:29 UTC 2015


Andre,

Thanks for your contributions to this healthy dialog on this subject. As
to your concern about other IAST tools, I wish there were more too.

I don¹t have licenses to any of these tools and so far, no one has stepped
up and offered to run any of these tools against the Benchmark. If anyone
on this list does, or know someone who does, and they can run them against
the Benchmark and can send us a tool native results file, we¹ll build a
parser for it so its a supported tool just like all the other tools
already supported by the Benchmark.

This is also true for ANY other tool that we don¹t yet support, static,
dynamic, or otherwise. We want to support ALL the appsec tools out there.

I have been working with a volunteer to get WebInspect results with and
without their server side agent, which I believe is the SecurityScope
product you are referring to, but I haven¹t gotten a results file back
yet. I actually doubt that the use of this agent changes how the Benchmark
supports WebInspect. Once I verify that, I can indicate the Benchmark
supports use of SecurityScope too, or if we have to build a special parser
for it, we will.


A common concern expressed has also been the lack of community
contributions and I agree that is the primary concern we need to address
to make the Benchmark successful. Several vendors approached me at AppSec
US expressing interest in contributing to the project, but 2 months later,
none of them have stepped up. There have been other contributions here and
there since then like, for example, from Simon Bennetts related to
regression testing for ZAP, and a contribution from an appsec consultant
wanting to know if a specific tool could handle a specific type of data
flow. Aspect has also been working to address concerns from the field
related to the 1.2 beta and we believe we have addressed most or all of
them, and are going to soon release the 1.2 version. In parallel, we¹ve
been working on adding some more technologies to the Benchmark like
Spring, Jersey, some REST services, and XXE test cases.

Let¹s build a thriving diverse community around this project and change
AppSec for everyone for the better!!

-Dave

On 11/26/15, 3:12 PM, "Andre Gironda" <andreg+owasp at gmail.com> wrote:

>
>I hope we all believe in Jeff's message. The primary problem I see
>isn't around the marketing -- it's that the Benchmark page on Tool
>Results makes no mention of other IAST solutions, such as Synopsys
>Seeker, Secure Decisions, or HPE Security's SecurityScope. As an early
>IAST adopter who was consulting for one of these primary vendors on
>many of the first-ever large-installation IAST projects, I can attest
>to the need for both greater competition (e.g., demonstrating need and
>delivering the IAST solutions) as well as more attention (e.g.,
>marketing).




More information about the OWASP-Leaders mailing list