[Owasp-board] Barracuda taking OWASP name in vain?

Jeff Williams jeff.williams at owasp.org
Wed Feb 13 06:23:24 UTC 2008

Here's one I sent to some company who was abusing OWASP a while back.  I got
no response.





We've been notified from several sources that your company is referencing
the OWASP Top Ten and actually it has caused a bit of concern.  You may not
know that OWASP has a set of established brand usage rules that govern the
use of the OWASP name and logo.




Could you provide us details of exactly how SmartAudit matches up with and
covers the OWASP Top Ten?   See http://www.owasp.org/index.php/Top_10_2007
for the latest version.


Please don't hesitate to contact me to discuss any of the above. Thanks,




Jeff Williams, Chair

 <http://www.owasp.org/> The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Wednesday, February 13, 2008 12:10 AM
To: Sebastien Deleersnyder
Cc: Dave Wichers; jeff.williams at owasp.org; Andrew van der Stock; OWASP Board
Subject: Re: [Owasp-board] Barracuda taking OWASP name in vain?


This is probably one of the oldest recurring themes on OWASP that I can
remember, i.e. how do deal with this type of abuse.

In fact, Paulo's project on SpoC  was to handle this situations, before I
hijacked him for SpoC Management (due to lack of time from the previous
candidate (one of the italian guys))

Since this is a bit of a can of worms and one that needs to be done with
some sensitivity and follow up (because once we start this thread it will go
on and on and on), unless one of you (board member) wants to take this
personally, I would recommend a first mild approach and ask Alison to
contact Barracuda 'Officially' from OWASP and ask for clarifications.

I think Alison should send Barracuda two items: an Email and a posted letter
(in OWASP's letter head) with a simple question: "We (OWASP) would like more
clarifications from you on what exactly you mean by the statements bellow
(include text), please advise. Thanks"

And let's see how they react.

Part of the problem with this issue is that at the moment it that we (OWASP)
have not been very active in identifying what is acceptable, what is
'pushing the reality a bit' and what is NOT acceptable. A 'Wall of Shame' is
inevitable :)  but we need to get there in baby steps. For example at Ounce
Labs I don't have a good framework and practical guidelines to give the
marketing guys (and I do give them some heat on some of the statements they

What do you guys think? If you are Ok, Alison can work on that letter and
post it here for review before sending it (in fact we should also send a
copy of that letter to the owasp-leaders list)


On 2/12/08, Sebastien Deleersnyder <Sebastien.Deleersnyder at telindus.be>

Ok for me.

Only to be used for extreme abuse, we should not waste efforts on witch






From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: 12 February 2008 19:20
To: jeff.williams at owasp.org; 'Andrew van der Stock'; 'OWASP Board'
Subject: Re: [Owasp-board] Barracuda taking OWASP name in vain?


Seems reasonable to me.




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Tuesday, February 12, 2008 1:18 PM
To: 'Andrew van der Stock'; 'OWASP Board'
Subject: Re: [Owasp-board] Barracuda taking OWASP name in vain?


Yes - Curphey blogged about it and it's been on the OWASP feed too.  The
question is whether/how to respond to ridiculous abuses of the OWASP name
like this.  I'd like to have some kind of protocol to follow here, like.


1)      Nice letter explaining the brand and the violation

2)      If unfixed, warning letter explaining consequences (wall of shame)

3)      If unfixed, wall of shame






From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Andrew van der
Sent: Tuesday, February 12, 2008 1:36 AM
To: OWASP Board
Subject: [Owasp-board] Barracuda taking OWASP name in vain?


Hi guys,


You might have seen this. 


w&newsId=20080207005234&newsLang=en> &newsId=20080207005234&newsLang=en


About Barracuda Web Application Controllers

Barracuda Web Application Controllers, including both the Barracuda Web
Application Firewall and Barracuda Application Gateway, protect Web sites
from attackers leveraging protocol or application vulnerabilities to
instigate unauthorized access, data theft, denial of service or defacement.
Designed to deliver comprehensive Web security, Barracuda Web Application
Controllers act as a proxy for Web traffic to insulate Web servers from
direct access by hackers, enforces data security standards, such as the
Payment Card Industry Data Security Standard (PCI DSS), and secures Web
sites against the top 10 major Web vulnerabilities compiled by Open Web
Application Security Project (OWASP). Available in two models, the Barracuda
Web Application Firewall provides Web applications and Web services with
complete protection against malicious attacks. The Barracuda Application
Gateway, also available in three models, enhances the powerful Barracuda Web
Application Firewall to integrate traffic management capabilities for
increased performance and availability.

I don't think *anything* can. I deliberately made some of the Top 10 NP hard
problems to avoid claims such as this. 







Owasp-board mailing list
Owasp-board at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080213/178ad2fb/attachment-0002.html>

More information about the Owasp-board mailing list