Talk:OWASP RFP-Criteria

PURPOSE List of questions/discussion points for the project. (if your wondering how to add your comments to this and get involved.. create a account its FREE and its a wiki)

Answer: Unable to attend this event will be at OWASP Sweden
 * Proposed discussion and feedback from the Software Assurance (SwA) Community on June 22 at 3 pm with the SwA Acquisition and Outsourcing Working Group. We are meeting at the Booz Allen Hamilton Virginia Square Facility at 3811 N. Fairfax Drive, Suite 600, Arlington, Virginia 22203. --Walter Houser 17:59, 22 May 2010 (UTC)

Are these questions for use during the market survey or product evaluation steps of an acquisition? --Walter Houser 20:00, 16 April 2010 (UTC) Answer: YES --jinxpuppy 02:20, 26 May 2010 (UTC)

1. Describe the implementation process for your product/service - is software or hardware required? Vendor training? Consulting? Any additional personnel costs on customer side? How many personnel are needed? What are their skill sets and experience levels. --Walter Houser 20:16, 16 April 2010 (UTC) The time to implement is meaningful only in the context of the amount and quality of resources and their costs.

2. Do you have a training and support program for your product or service? Is it required? If so, what is the typical amount of time and cost associated with training/education? --Walter Houser 20:23, 16 April 2010 (UTC) The salesman will always answer yes to "Can you...?" questions. Answer: This question was focused on the service offered that what training is required to operate it and what support programs are available

4. What is the most challenging element ...? Too softball a question. --Walter Houser 20:08, 16 April 2010 (UTC) Ask instead

4. What are the critical success factors for ...

Answer: Good need to dive deeper here for more questions and add to the list

ADDITIONAL LINKS


 * 1) http://zeltser.com/security-assessments/security-assessment-rfp-cheat-sheet.html

5. Does the product/service integrate with any IPS solutions(custom filters)? Joe Aguirre 20:10, 19 April 2010 (UTC) + Web Application Firewalls

6. Related to question #11, asking how "all existing vulnerabilities" are discovered may need to be revisited. It may make more sense to ask how the product/solution increases its vulnerability identification rate relative to the competition. Joe Aguirre 20:10, 19 April 2010 (UTC) Blackbox testing of custom code on a website is finding zero-day issues in a website that was designed for a single customer hence complete coverage of the attack surface needs to be clarified.

7. Some additional ideas that may be useful could be: options for user administration, supported federated identity management solutions, access control granularity, and scan scheduling. Joe Aguirre 15:36, 20 April 2010 (UTC)

8. Question #25 - Instead of listing the WASC categories, it would be cleaner to provide links to both the WASC and OWASP Top Ten lists. Joe Aguirre 20:44, 21 April 2010 (UTC) Answer: WASC is classes of attack OWASP is Top 10 Risks very different from a testing perspective.