[Owasp-board] Barracuda taking OWASP name in vain?

Dinis Cruz dinis at ddplus.net
Wed Feb 13 05:09:59 UTC 2008


This is probably one of the oldest recurring themes on OWASP that I can
remember, i.e. how do deal with this type of abuse.

In fact, Paulo's project on SpoC  was to handle this situations, before I
hijacked him for SpoC Management (due to lack of time from the previous
candidate (one of the italian guys))

Since this is a bit of a can of worms and one that needs to be done with
some sensitivity and follow up (because once we start this thread it will go
on and on and on), unless one of you (board member) wants to take this
personally, I would recommend a first mild approach and ask Alison to
contact Barracuda 'Officially' from OWASP and ask for clarifications.

I think Alison should send Barracuda two items: an Email and a posted letter
(in OWASP's letter head) with a simple question: "We (OWASP) would like more
clarifications from you on what exactly you mean by the statements bellow
(include text), please advise. Thanks"

And let's see how they react.

Part of the problem with this issue is that at the moment it that we (OWASP)
have not been very active in identifying what is acceptable, what is
'pushing the reality a bit' and what is NOT acceptable. A 'Wall of Shame' is
inevitable :)  but we need to get there in baby steps. For example at Ounce
Labs I don't have a good framework and practical guidelines to give the
marketing guys (and I do give them some heat on some of the statements they
do)

What do you guys think? If you are Ok, Alison can work on that letter and
post it here for review before sending it (in fact we should also send a
copy of that letter to the owasp-leaders list)

Dinis

On 2/12/08, Sebastien Deleersnyder <Sebastien.Deleersnyder at telindus.be>
wrote:
>
>  Ok for me.
>
> Only to be used for extreme abuse, we should not waste efforts on witch
> hunting.
>
>
>
> Regards
>
>
>
> Seba
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Dave Wichers
> *Sent:* 12 February 2008 19:20
> *To:* jeff.williams at owasp.org; 'Andrew van der Stock'; 'OWASP Board'
> *Subject:* Re: [Owasp-board] Barracuda taking OWASP name in vain?
>
>
>
> Seems reasonable to me.
>
>
>
> -Dave
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Jeff Williams
> *Sent:* Tuesday, February 12, 2008 1:18 PM
> *To:* 'Andrew van der Stock'; 'OWASP Board'
> *Subject:* Re: [Owasp-board] Barracuda taking OWASP name in vain?
>
>
>
> Yes – Curphey blogged about it and it's been on the OWASP feed too.  The
> question is whether/how to respond to ridiculous abuses of the OWASP name
> like this.  I'd like to have some kind of protocol to follow here, like…
>
>
>
> 1)      Nice letter explaining the brand and the violation
>
> 2)      If unfixed, warning letter explaining consequences (wall of shame)
>
> 3)      If unfixed, wall of shame
>
>
>
> Agree?
>
>
>
> --Jeff
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Andrew van der Stock
> *Sent:* Tuesday, February 12, 2008 1:36 AM
> *To:* OWASP Board
> *Subject:* [Owasp-board] Barracuda taking OWASP name in vain?
>
>
>
> Hi guys,
>
>
>
> You might have seen this.
>
>
>
> From
> http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20080207005234&newsLang=en
>
>
>
> *About Barracuda Web Application Controllers*
>
> Barracuda Web Application Controllers, including both the Barracuda Web
> Application Firewall and Barracuda Application Gateway, protect Web sites
> from attackers leveraging protocol or application vulnerabilities to
> instigate unauthorized access, data theft, denial of service or defacement.
> Designed to deliver comprehensive Web security, Barracuda Web Application
> Controllers act as a proxy for Web traffic to insulate Web servers from
> direct access by hackers, enforces data security standards, such as the
> Payment Card Industry Data Security Standard (PCI DSS), and secures Web
> sites against the top 10 major Web vulnerabilities compiled by Open Web
> Application Security Project (OWASP). Available in two models, the
> Barracuda Web Application Firewall provides Web applications and Web
> services with complete protection against malicious attacks. The Barracuda
> Application Gateway, also available in three models, enhances the
> powerful Barracuda Web Application Firewall to integrate traffic management
> capabilities for increased performance and availability.
>
> I don't think *anything* can. I deliberately made some of the Top 10 NP
> hard problems to avoid claims such as this.
>
>
>
> thanks,
>
> Andrew
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080213/a6b274f6/attachment-0002.html>


More information about the Owasp-board mailing list