https://wiki.owasp.org/index.php?action=history&feed=atom&title=Talk%3AOWASP_RFP-Criteria 2026-04-19T16:04:40Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=Talk:OWASP_RFP-Criteria&diff=84951&oldid=prev 2010-06-16T05:00:25Z

<p>Created page with &#039;PURPOSE &lt;br&gt; List of questions/discussion points for the project.&lt;br&gt; (if your wondering how to add your comments to this and get involved.. create a account its FREE and its a …&#039;</p> <p><b>New page</b></p><div>PURPOSE &lt;br&gt; List of questions/discussion points for the project.&lt;br&gt; <br /> (if your wondering how to add your comments to this and get involved.. create a account its FREE and its a wiki)<br /> <br /> * Proposed discussion and feedback from the Software Assurance (SwA) Community on June 22 at 3 pm with the SwA Acquisition and Outsourcing Working Group. We are meeting at the Booz Allen Hamilton Virginia Square Facility at 3811 N. Fairfax Drive, Suite 600, Arlington, Virginia 22203. --[[User:Walter Houser|Walter Houser]] 17:59, 22 May 2010 (UTC) &lt;br&gt;<br /> Answer: Unable to attend this event will be at [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP Sweden] ----<br /> <br /> Are these questions for use during the market survey or product evaluation steps of an acquisition? --[[User:Walter Houser|Walter Houser]] 20:00, 16 April 2010 (UTC) <br /> Answer: YES --[[User:Brennan|jinxpuppy]] 02:20, 26 May 2010 (UTC)<br /> <br /> 1. Describe the implementation process for your product/service - is software or hardware required? Vendor training? Consulting? Any additional personnel costs on customer side? How many personnel are needed? What are their skill sets and experience levels. --[[User:Walter Houser|Walter Houser]] 20:16, 16 April 2010 (UTC) The time to implement is meaningful only in the context of the amount and quality of resources and their costs. <br /> <br /> 2. Do you have a training and support program for your product or service? Is it required? If so, what is the typical amount of time and cost associated with training/education? --[[User:Walter Houser|Walter Houser]] 20:23, 16 April 2010 (UTC) The salesman will always answer yes to &quot;Can you...?&quot; questions. <br /> Answer: This question was focused on the service offered that what training is required to operate it and what support programs are available <br /> ----<br /> <br /> <br /> 4. What is the most challenging element ...? Too softball a question. --[[User:Walter Houser|Walter Houser]] 20:08, 16 April 2010 (UTC) Ask instead <br /> <br /> 4. What are the critical success factors for ... <br /> <br /> Answer: Good need to dive deeper here for more questions and add to the list <br /> ----<br /> <br /> <br /> ADDITIONAL LINKS &lt;br&gt; <br /> <br /> #http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html<br /> <br /> 5. Does the product/service integrate with any IPS solutions(custom filters)? [[User:Joe Aguirre|Joe Aguirre]] 20:10, 19 April 2010 (UTC) <br /> + Web Application Firewalls<br /> &lt;br&gt; <br /> <br /> 6. Related to question #11, asking how &quot;all existing vulnerabilities&quot; are discovered may need to be revisited. It may make more sense to ask how the product/solution increases its vulnerability identification rate relative to the competition. [[User:Joe Aguirre|Joe Aguirre]] 20:10, 19 April 2010 (UTC) <br /> Blackbox testing of custom code on a website is finding zero-day issues in a website that was designed for a single customer hence complete coverage of the attack surface needs to be clarified. <br /> &lt;br&gt; <br /> <br /> 7. Some additional ideas that may be useful could be: options for user administration, supported federated identity management solutions, access control granularity, and scan scheduling. [[User:Joe Aguirre|Joe Aguirre]] 15:36, 20 April 2010 (UTC)<br /> &lt;br&gt;<br /> <br /> 8. Question #25 - Instead of listing the WASC categories, it would be cleaner to provide links to both the WASC and OWASP Top Ten lists. [[User:Joe Aguirre|Joe Aguirre]] 20:44, 21 April 2010 (UTC)<br /> Answer: [http://projects.webappsec.org/Threat-Classification WASC] is classes of attack OWASP is Top 10 Risks very different from a testing perspective.<br /> &lt;br&gt;</div>

Brennan