[Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "
dinis.cruz at owasp.org
Thu Feb 17 13:29:55 EST 2011
The problem with this case is that if OWASP doesn't do anything, that in it
self it taking a position (some might argue that it would be equivalent of
'putting the head into the sand and ignoring what is happening')
This is definitely a case where we will be dammed if we do and dammed if we
don't (ignoring this will not make the issue go away)
This case goes to the heart of a lot of things at OWASP (including our
ability to continue to innovate on the WebApp tools space).
In fact, as some of the recommendations already provided in this small
thread clearly show, if there is no clear 'position' and guidelines from
OWASP's community, we will actually create a much worse environment.
We need to start start this process from the point of view that we need to
listen to both sides of the story, we first need to clarify what are the
facts and what is really going on.
We shouldn't start from the premise that Cenzic is wrong, that its products
should be boycotted or that the WebAppSec buyers should buy Cenzic's
On 17 February 2011 18:19, Dan Cornell <dan at denimgroup.com> wrote:
> > What I would do: 1) Buy NTObjectives' scanner and/or service and
> > recommend it to others. 2) cite Cenzic for breach-of-contract of their
> > software support & upgrade contracts, if you are a current customer of
> > theirs (one cannot reasonably expect a company to be able to upgrade
> > their product if they are forcing stifled innovation in a growing and
> > needy industry), 3) If you're a Veracode customer, consider trading
> > your credits (or budget for the year) to dynamic analysis services
> > (which can only stand to help NTObjectives), and 4) If you are an
> > attorney, or have a GC at your company, contact NTObjective's legal
> > counsel.
> > It also appears that one can list prior art on that stop232patent.com
> > website, but I have no idea what fits the criteria. Elza? Nikto?
> > Phrack magazine's 1998 article on SQL injection? OULU's work on
> > PROTOS? Wisc.edu Bart Miller's 1989 work on fuzz.c? Gary McGraw's 1998
> > book on "Software Fault Injection"?
> Agreed! I suppose my point is that these are all decisions/activities that
> make sense for people or firms to take in their name, not in the OWASP name.
> And I think that is a healthier approach versus OWASP holding an
> ominously-named "Inquiry" into a Supporter organization (or any
> organization, for that matter). Now if OWASP wanted to start a "Prior Art"
> project that might be something...
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders