RE: calling all software security tool vendors/freeware/open source project leads

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Kyle, the big answer is: [comments inline]

> -----Original Message-----
> From: Kyle Quest [mailto:Kyle.Quest () networkengines com]
> Sent: Sunday, March 13, 2005 2:04 PM
> To: Evans, Arian; secprog () securityfocus com;
> Subject: RE: calling all software security tool vendors/freeware/open
>
> the big question is... why would people want to drop everything
> and run... like puppies... just to participate in what seems
> to be somebody's commercial project.

1. _The_reason_: I am going to provide and maintain a list of tools
related to finding and fixing flaws in application security (code).
I am going to cover the who, what when, where, features, etc.

This list will be maintained on www.owasp.org. It will be comparable
to the SANS tool list (not linked because it's worthless) or Talisker's
tool list (http://www.networkintrusion.co.uk/). It will be more
focused and hence (hopefully) more detailed/useful.

I would think a vendor would want to be listed. To ensure they are
listed they should contact me. The way you phrased your response makes
you sound as paranoid of people with agendas as I am. ;)

2. This project is not vendor driven. It is a personal project,
started on my own time and largely done on my own time. I will
host it using someone else's bandwidth where possible.

If necessary I would host this on my personal website; luckily,
organizations like OWASP have expressed interest in this.

3. No one needs to drop anything including puppies to participate.

In fact, I am very much not a fan of puppy dropping.

I am BCC'ing secprog, vuln-dev, SC-L, and webappsec again to
avoid needless cross-pollination.


-ae