Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - WASC Announcement: Static Analysis Technologies Evaluation Criteria Published (webappsec.org)

skoussa writes: The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven security programs. This document provides a comprehensive list of criteria that should be considered during the evaluation process. WASC Static Analysis Technologies Evaluation Criteria:

Target Audience:
The target audience of this document is the technical staff of software organizations who are looking to automate parts of their application security assurance programs using one or more static code analysis technology, as well as application security professionals who are responsible for performing application security reviews. The document will take into consideration those who would be evaluating the technology and those who would actually be using it.

The purpose of this document is to develop a set of criteria that should be taken into consideration while evaluating static code analysis tools or services for security testing. The vendor-neutral criteria defined in this document are selected using a consensus-driven review process comprised of volunteer subject matter experts. Every organization is unique and has a unique software development environment, this document aims to help organizations achieve their application security goals through acquiring the most suitable tool for their own unique environment. The document will strictly stay away from evaluating or rating vendors. However, it will focus on the most important aspects of static code analysis technologies that would help the target audience identify the best technology for their environment and development needs.

— Aaron Weaver (Pearson Education)
— Abraham Kang (HP Fortify)
— Alec Shcherbakov (AsTech Consulting)
— Alen Zukich (Klocwork)
— Arthur Hicken (Parasoft)
— Amit Finegold (Checkmarx)
— Benoit Guerette (NorthSec)
— Chris Eng (Veracode)
— Chris Wysopal (Veracode)
— Dan Cornell (Denim Group)
— Daniel Medianero (Buguroo Offensive Security)
— Dinis Cruz (SecurityInnovation)
— Gamze Yurttutan
— Herman Stevens
— Janos Drencsan
— James McGovern (HP)
— Jean-Marc Atchison (Centauri Technologies)
— Joe Hemler (Gotham Digital Science)
— Jojo Maalouf (Hydro Ottawa)
— Laurent Levi (Checkmarx)
— Mushtaq Ahmed (Emirates Airlines)
— Ory Segal (Akamai)
— Philippe Arteau
— Sherif Koussa (Software Secured) [Project Leader]
— Srikanth Ramu (University of British Columbia)
— Romain Gaucher (Coverity)
— Sneha Phadke (eBay)
— Wagner Elias (Conviso)

Participation in the Web Application Security Scanner Evaluation Criteria project is open to all. If you have any questions about the evaluation criteria, please contact Sherif Koussa ( sherif dot koussa at gmail dot com)

— announcements () webappsec org
http://www.webappsec.org/ The Web Application Security Consortium


Submission + - Announcing the Web Application Security Scanner Ev (webappsec.org)

mrkitty writes: The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead provides valuable information to help you make your own decision about which
of these tools best meets your needs.

The WASSEC document be found here in both wiki and PDF formats:


Submission + - WASC's Distributed Open Proxy Honeypot Project (webappsec.org)

WASC writes: "The idea behind the IT security concept known as the honeypot is all about luring hackers into a server or network so they can be tracked. The Web Application Security Consortium (WASC) has its own particular brand of honey to attract would-be attackers — a blend of open source and open proxies. The WASC is now entering Phase Three of its Distributed Open Proxy Honeypot Project, including more participants, sensors and analytical reporting as the project moves into wide deployment. The aim remains the same, however: providing security researchers and law enforcement with a new resource in the battle against Web attacks. "Ultimately what we're trying to identify is Web-based attacks — how are they are actually happening — because it's very hard to get real details," WASC Honeypot Project Leader Ryan Barnett told InternetNews.com."

Nmap 5.00 Released, With Many Improvements 73

iago-vL writes "The long-awaited Nmap Security Scanner version 5.00 was just released (download)! This marks the most important release since 1997, and is a huge step in Nmap's evolution from a simple port scanner to an all-around security and networking tool suite. Significant performance improvements were made, and dozens of scripts were added. For example, Nmap can now log into Windows and perform local checks (PDF), including Conficker detection. New tools included in 5.00 are Ncat, a modern reimplementation of Netcat (with IPv6, SSL, NAT traversal, port redirection, and more!), and Ndiff, for quickly comparing scan results. Other tools are in the works for future releases, but we're still waiting for them to add email and ftp clients so we can finally get off Emacs!"

Submission + - ImageShack Hacked! (mashable.com) 5

revjtanton writes: "Tonight a group calling themselves "Anti-Sec" hacked ImageShack and replaced many of the site's hosted images with one of their own detailing their manifesto. The group's grievance is against full-disclosure. They simply want the practice in security cirlces to end, and they've promised to cause mayhem and destruction if it doesn't.

These guys/gals are taking direct aim against a sect of the IT industry who is already armed to fight them...but they also already know that. It should be interesting to see how this plays out, whether you agree with them or not."

Slashdot Top Deals

Nothing is faster than the speed of light ... To prove this to yourself, try opening the refrigerator door before the light comes on.