[Owasp-board] [Owasp-leaders] RFC: OWASP COMMERCIAL SERVICES REGISTRY

Eoin eoin.keary at owasp.org
Mon Apr 26 12:46:28 UTC 2010


Mike, thanks,
so given this is a list of orgs "who claim" they provide such services, are
we delivering the information as such, ie, organisations "who claim", and it
is clear OWASP does not endorse or verify any of these claims.
 - Can we have this made very clear on the site please.

Again re passing and failing applications for registration we need a number
of individuals to assess each application. This can not be left to one
individual, this avoids any difficult potential commercial conflicts of
interest arising or even the perception of one.

Eoin






On 26 April 2010 13:21, Boberski, Michael [USA] <boberski_michael at bah.com>wrote:

>   Question:
>
> is this simply
>
> (1) a bulletin board where owasp do not assess the individual listed
> organisations, if so this will take significant effort to police.
>
>
>
> *[Mike] No, it would be configured like the “Jobs” page. I would be the
> one making updates as the project lead in response to email
> queries/requests. Presumably Kate and so on would also have access for
> administrative purposes.*
>
>
>
> (2) a list of recognised/proven orgs who actually provide OWASP related
> services
>
>
>
> *[Mike] It will be a list of vendors who claim they provide services based
> on OWASP deliverables.*
>
>
>
> If (2); an approval criterion needs to be established, there are a number
> of reasons for this; one being governance and openness but also to
> prevent misuse of this opportunity by organisations.
>
>
>
> *[Mike] Check out the requirements that preface each table on each tab.*
>
>
>
> if (2) i believe we need to establish an approval board, committee to
> assess orgs who wish to add themselves to the registry. I dont believe one
> individual can make this decision?
>
>
>
> *[Mike] Orgs won’t add themselves, as noted above. The basis for
> accepting/rejecting listings will be based on the requirements that preface
> each table on each tab. E.g. the requirement “approach to performing
> verifications” would be passed/failed when a request is submitted to be
> listed depending on whether an approach was provided, not the quality or
> content of the approach. E.g. if a company has SQL injection sniffing dogs
> and that’s how they do verification, good enough.*
>
>
>
> if (1) we need a strong disclaimer on the pages but either option will need
> control to prevent spam etc.
>
>
>
> *[Mike] Orgs won’t add themselves, as noted above.*
>
>
>
> Question:
>
> Once organisations get onto the registry how long can they stay on it, ad
> infinitum?
>
>
>
> *[Mike] Yes.*
>
>
>
>
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100426/c91bf519/attachment-0002.html>


More information about the Owasp-board mailing list