Re: Request to add Oversecured to "Source Code Analysis Tools"

[Jim Manico]

These kind of commercial announcements do not belong on OWASP lists. At all.

--

Jim Manico

@Manicode

On Aug 15, 2020, at 3:28 AM, Sergey Toshin <sto...@oversecured.com> wrote:

Hello everyone! I'm a founder of Oversecured Inc (https://oversecured.com/), a startup focused on automated mobile app vulnerability scanning. Currently, we're providing only scans for Android apps (APK files). I'd like to add it to this list https://owasp.org/www-community/Source_Code_Analysis_Tools. 

I'm ready to answer any questions the community has. I would also invite everyone interested in Android security to view Oversecured's blog and read posted technical articles (https://blog.oversecured.com/), check out the list of vulnerabilities (https://oversecured.com/vulnerabilities), and the sample report posted on the landing page. You can use the opportunity to scan 5 Android apps for free using Oversecured service.

Thanks!

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-mobile-top-10-risks/8e34b811-7b9a-4001-b52e-c6756ddb7b67n%40owasp.org.

[Jim Manico]

You made a call to action to try out your free products. That is where you went over the line. This is not the place to advertise so please stop it.

--

Jim Manico

@Manicode

On Aug 15, 2020, at 8:03 AM, Sergey Toshin <sto...@oversecured.com> wrote:



Hi Jim, this is not an announcement. The list of tools https://owasp.org/www-community/Source_Code_Analysis_Tools contains multiple commercial scanners. The policy says:

> If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

So maybe you recommend a correct OWASP mailing list where I can ask to place Oversecured to the list of tools? Thanks!

[Jim Manico]

A less “call to action” email that simply gives us the minimal information needed to add your service to the list would be more appropriate than your previous email, I state with respect.

--

Jim Manico

@Manicode

On Aug 15, 2020, at 8:51 AM, Sergey Toshin <sto...@oversecured.com> wrote:

Thanks for letting me know. But is that the correct place where I can ask to be added to https://owasp.org/www-community/Source_Code_Analysis_Tools?

[Jim Manico]

Did you take a look at the actual table??

https://owasp.org/www-community/Source_Code_Analysis_Tools

We need like one or two sentences. You’re doing a great job trolling me though.

--

Jim Manico

@Manicode

On Aug 15, 2020, at 9:45 AM, Sergey Toshin <sto...@oversecured.com> wrote:

Sorry, that was my first post to the OWASP forums, the lesson is learned!

Oversecured -- a static SaaS-based scanner for Android apps. It accepts only APK files from users and gives back a report that could be downloaded as a PDF (entirely, or with applied filters). It decompiles APKs to Java sources and performs analysis against them (so it doesn't matter Kotlin or Java or both were used to write the app). The list of vulnerabilities (https://oversecured.com/vulnerabilities) corresponds to OWASP Top 10 and CWE categories. It doesn't differ app sources and used libraries, a scan report will contain vulnerabilities from both parts. A scan takes from a few seconds and up to a few hours, really depends on an app (the most of scans are finished within 10 mins). It doesn't have an OWASP Benchmark score, but the rate of False Positives is subjectively very low. Also doing the best to find 100% of Java-specific vulnerabilities (the scanner doesn't scan native libraries at all).

Some of the features:

- supports the following input sources of dangerous data: third-party apps (inter-component communications), public storage (SD card), deeplinks, network/webviews, public content providers, Bluetooth/NFC/SMS, UI inputs, all deserializable objects, etc

- cross-component data tracking (e.g. from an exported activity to a not exported service)

- supports vulnerability detection during deserialization (for Serializable, Externalizable, Parcelable classes)

- a big number of Android-specific vulnerability categories

The first 5 scans are free to all users, after $10 per scan. Companies that own an app also can integrate the scanner into their SDLC and scan each new version of the app. The cost will depend on the app category and number of installs.

Hope it helps.

[Erez Yalon]

Why do we even have these lists?

On Sun, Aug 16, 2020, 00:14 Sergey Toshin <sto...@oversecured.com> wrote:

Oh okay, now I know the process

Summary: A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Also allows integrations into DevOps processes.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-mobile-top-10-risks/45baa583-8bc3-44b6-88b6-ada5a6028916n%40owasp.org.

[Jim Manico]

There is absolutely no need for OWASP to keep track of vendors in a certain space. I think keeping the meta info about static analysis but dropping the vendor list is appropriate.

--

Jim Manico

@Manicode

Secure Coding Education

On Aug 16, 2020, at 10:59 AM, Erez Yalon <erez....@gmail.com> wrote:



[Amit Lavi]

can someone help me remove it for good 

ב-יום שבת, 15 באוגוסט 2020 בשעה 16:28:35 UTC+3, sto...@oversecured.com כתב/ה: