Tuesday, August 12, 2008

OWASP Coverage?

In a comment to an unrelated post, James McGovern asks

"What would it take for an industry analyst to provide comprehensive coverage via blog entries on the work that OWASP is doing?"

I can't speak for anyone else, but here's my answer. I might provide occasional comments about OWASP without any special motivation, but before I go to the trouble to provide comprehensive coverage about something, I need to see some strong interest from my readers. I also need to feel that this is a subject I can add some value to, rather than merely repeating what everyone else is saying.

So if anyone wants me to take a thorough look at OWASP (or anything else for that matter), please add a comment to this blog, indicating the nature of your interest and what specific questions you'd like me to address. Thanks.


Jennifer said...

OWASP is not dominated by commercial interests, and so the message is different than from product vendors (and service vendors too, to a lesser extent). When an automated tool vendor claims to "address" the OWASP Top Ten, they should be ashamed of themselves. And you should be ashamed if you're buying that hype and promoting automated tools as anything much more than an interesting distraction.

Covering OWASP would allow people to get a far less biased opinion of what's going on in application security.

Jennifer said...
This comment has been removed by the author.
James McGovern said...

I did notice that you put into quotes something I didn't say. I asked for published research which doesn't automatically equate to blog entries but does include mention in research reports such as quadrants and waves.

Anwyay, now that I have taken personal responsibility, when can I expect a call from Gartner and Forrester?

Richard Veryard said...


I was quoting your comment exactly.

As for your question to Gartner and Forrester, that's for them to answer.