|
|
| Line 1: |
Line 1: |
| − | PURPOSE <br> List of questions/discussion points for the project.<br>
| |
| − | (if your wondering how to add your comments to this and get involved.. create a account its FREE and its a wiki)
| |
| | | | |
| − | * Proposed discussion and feedback from the Software Assurance (SwA) Community on June 22 at 3 pm with the SwA Acquisition and Outsourcing Working Group. We are meeting at the Booz Allen Hamilton Virginia Square Facility at 3811 N. Fairfax Drive, Suite 600, Arlington, Virginia 22203. --[[User:Walter Houser|Walter Houser]] 17:59, 22 May 2010 (UTC) <br>
| |
| − | Answer: Unable to attend this event will be at [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden OWASP Sweden] ----
| |
| − |
| |
| − | Are these questions for use during the market survey or product evaluation steps of an acquisition? --[[User:Walter Houser|Walter Houser]] 20:00, 16 April 2010 (UTC)
| |
| − | Answer: YES --[[User:Brennan|jinxpuppy]] 02:20, 26 May 2010 (UTC)
| |
| − |
| |
| − | 1. Describe the implementation process for your product/service - is software or hardware required? Vendor training? Consulting? Any additional personnel costs on customer side? How many personnel are needed? What are their skill sets and experience levels. --[[User:Walter Houser|Walter Houser]] 20:16, 16 April 2010 (UTC) The time to implement is meaningful only in the context of the amount and quality of resources and their costs.
| |
| − |
| |
| − | 2. Do you have a training and support program for your product or service? Is it required? If so, what is the typical amount of time and cost associated with training/education? --[[User:Walter Houser|Walter Houser]] 20:23, 16 April 2010 (UTC) The salesman will always answer yes to "Can you...?" questions.
| |
| − | Answer: This question was focused on the service offered that what training is required to operate it and what support programs are available
| |
| − | ----
| |
| − |
| |
| − |
| |
| − | 4. What is the most challenging element ...? Too softball a question. --[[User:Walter Houser|Walter Houser]] 20:08, 16 April 2010 (UTC) Ask instead
| |
| − |
| |
| − | 4. What are the critical success factors for ...
| |
| − |
| |
| − | Answer: Good need to dive deeper here for more questions and add to the list
| |
| − | ----
| |
| − |
| |
| − |
| |
| − | ADDITIONAL LINKS <br>
| |
| − |
| |
| − | #http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html
| |
| − |
| |
| − | 5. Does the product/service integrate with any IPS solutions(custom filters)? [[User:Joe Aguirre|Joe Aguirre]] 20:10, 19 April 2010 (UTC)
| |
| − | + Web Application Firewalls
| |
| − | <br>
| |
| − |
| |
| − | 6. Related to question #11, asking how "all existing vulnerabilities" are discovered may need to be revisited. It may make more sense to ask how the product/solution increases its vulnerability identification rate relative to the competition. [[User:Joe Aguirre|Joe Aguirre]] 20:10, 19 April 2010 (UTC)
| |
| − | Blackbox testing of custom code on a website is finding zero-day issues in a website that was designed for a single customer hence complete coverage of the attack surface needs to be clarified.
| |
| − | <br>
| |
| − |
| |
| − | 7. Some additional ideas that may be useful could be: options for user administration, supported federated identity management solutions, access control granularity, and scan scheduling. [[User:Joe Aguirre|Joe Aguirre]] 15:36, 20 April 2010 (UTC)
| |
| − | <br>
| |
| − |
| |
| − | 8. Question #25 - Instead of listing the WASC categories, it would be cleaner to provide links to both the WASC and OWASP Top Ten lists. [[User:Joe Aguirre|Joe Aguirre]] 20:44, 21 April 2010 (UTC)
| |
| − | Answer: [http://projects.webappsec.org/Threat-Classification WASC] is classes of attack OWASP is Top 10 Risks very different from a testing perspective.
| |
| − | <br>
| |
