Summit 2011/Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation

 '''IMPORTANT DISCLAIMER: THIS LETTER IS NOT AN OFFICIAL OWASP POSITION. THE OWNERSHIP OF ITS REQUEST BELONGS TO THE NAMES UNDER THE 'SIGNED BY' SECTION'''

Signed by

 * Dinis Cruz - Application Security Consultant - Independent
 * Sebastien Deleersnyder - Managing Technical Consultant - SAIT Zenitel
 * Alexander Meisel - CTO - art of defence
 * Sven Vetsch - Senior Security Tester - Dreamlab Technologies
 * Daniel Cuthbert - Assessment Manager - SensePost
 * Eoin Keary - EMEIA Attack & Penetration Senior Manager - Ernst & Young
 * Anurag Agarwal - Founder - MyAppSecurity
 * Zaki Akhmad - Security Analyst - indocisc
 * Sebastien Gioria - Head of Security and IT Audit - Groupe Y
 * Paolo Perego - Application Security Specialist - armoredcode.com
 * Steven van der Baan - Software Architect - Sogeti Nederland
 * Andres Andreu - CTO & Founder - neuroFuzz
 * Marinus Kuivenhoven - Sr. Security Specialist - Sogeti Nederland
 * James McGovern - Chief Security Architect - The Hartford
 * Antonio Parata - CTO - Euery

Please use the format: {Name - Role - Company}

Vendors that agreed to provide some/all requested materials

 * art of defence
 * WhiteHat:
 * provided PDF with sample XML files and API details
 * provided access to demo account to allow schema development and API tests
 * Veracode:
 * provided access to demo account to allow schema development and API tests
 * OWASP Zed Attack Proxy
 * all code and report formats are (and will remain) open source
 * example reports to be supplied
 * undertake to enhance ZAP to integrate with other tools in as open and an effective a way as possible

Relevant initiatives

 * http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-nistir-7756_feb2011.pdf (NIST: CAESARS FrameworkExtension: An EnterpriseContinuous MonitoringTechnical ReferenceArchitecture (Draft))