[Owasp-board] VOTE: OWASP Quotes

Seba seba at owasp.org
Tue Jul 20 05:03:30 UTC 2010


I've understood it this way. It's just too slippery a road to have
owasp put out quotes on external organisations' commercial offerings

to the extreme: should owasp 'quote' they like the esapi services
company x, y or z is offering. or O2?
I think these companies can do that themselves, and if they are smart
link themselves through membership / direct project or chapter
sponsoring

I think it is more 'loaded' to put out an owasp quote than to have a
list (moderated or not) of organisations performing services linked to
owasp projects

--Seba

On Tue, Jul 20, 2010 at 5:56 AM, Jeff Williams <jeff.williams at owasp.org> wrote:
> Just to be totally clear here...
>
> 1. As I've explained before, I believe we need to unite our ecosystem (open
> and commercial) if we are to make progress against insecure software. Not by
> compromising our principles, but by figuring how open and commercial can
> live together peacefully. This proposal is a much less dangerous way to
> start than the others we've discussed.
>
> 2. We wouldn't be endorsing or recommending anything. At most it would be an
> indirect promotion of an organization, by complimenting (or criticizing)
> something that they are doing that is directly beneficial (or harmful) to
> our mission.
>
> Ordinarily, I wouldn't interfere with a vote in progress, but Seba's note
> made me think that perhaps I hadn't explained well enough.  Thanks for your
> patience.
>
> --Jeff
>
> -----Original Message-----
> From: sebastien.deleersnyder at gmail.com
> [mailto:sebastien.deleersnyder at gmail.com] On Behalf Of Seba
> Sent: Monday, July 19, 2010 11:30 PM
> To: dinis cruz
> Cc: Jeff Williams; OWASP Foundation Board List; Dan Cornell; Cornell Dan
> Subject: Re: [Owasp-board] VOTE: OWASP Quotes
>
> NO, which is in line with our mission "... OWASP Foundation does not
> endorse or recommend commercial products or services allowing our
> community to remain vendor agnostic with the collective wisdom of the
> best minds in application security worldwide."
>
> I don't see the value for OWASP to promote commercial services from
> vendors, which they are perfectly able to do themselves.
>
> --Seba
>
>
> On Tue, Jul 20, 2010 at 2:29 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> YES, we need to give this a go since it is critical for OWASP's future
> that
>> we (eventually) get a model that works and is accepted fully by the
>> community (in fact we are already late on this, but it's better late than
>> ever).
>> There are a number of Governance issues that we need to fine tune (and
>> create guidelines for), but for the key decision regarding OWASP's 'on the
>> record' quotes, it is an absolute YES from me
>> Thanks Jeff for keeping this alive (I actually though yesterday about
>> pinging you about this :)  )
>>
>> Dinis Cruz
>>
>>
>>
>>
>> On 19 July 2010 23:58, Jeff Williams <jeff.williams at owasp.org> wrote:
>>>
>>> All,
>>>
>>> I'd like to run this to ground. I think we've agreed that if we do this,
>>> there should be a centralized (experimental-for-now) quote page on the
>>> wiki
>>> that will allow for some notice-and-comment by OWASP Leaders before a
>>> quote
>>> is made official.
>>>
>>> So let's vote on whether to do this at all. Should OWASP produce quotes
>>> about things that help our mission, promote application security, promote
>>> OWASP, are consistent with our ethics and principles, are not biased
>>> towards
>>> a single vendor, and do not endorse a vendor. This might include
>>> commercial
>>> services like Veracode's service (see voting options below) (appreciate
>>> your
>>> input on this Dan)
>>>
>>> YES - sure, OWASP can issue quotes according to the rules above because
>>> it's
>>> good for the application security market overall, which helps our
> mission.
>>>
>>> NO - no way, OWASP should never issue quotes about commercial entities as
>>> it
>>> leads us down an awful sticky path that will tarnish our reputation
>>> forever.
>>>
>>> YESNC - OWASP should only issue quotes about non-commercial projects and
>>> efforts.
>>>
>>> I'll take the lead if we decide this is a good function for OWASP to do.
>>>
>>> Thanks,
>>>
>>> --Jeff
>>>
>>> Jeff Williams, Chair
>>> The OWASP Foundation
>>> work: 410-707-1487
>>> main: 301-604-4882
>>>
>>>
>>> -----Original Message-----
>>> From: Dan Cornell [mailto:dan at denimgroup.com]
>>> Sent: Monday, June 28, 2010 1:43 PM
>>> To: Brennan - OWASP; Jeff Williams
>>> Cc: 'dinis cruz'; 'OWASP Foundation Board List'; 'Cornell Dan'; Dan
>>> Cornell
>>> Subject: RE: [Owasp-board] Need guidance on providing OWASP quote to
>>> Veracode
>>>
>>>
>>> I might not know the full details of this current situation, but it seems
>>> like we might want to approach from the other direction via the OWASP
>>> Commercial Services Registry.  Organization can provide as much
>>> transparency
>>> and guidance on how their products and services relate to OWASP, but
> OWASP
>>> doesn't have to take a stand on how well they do what they say - just
>>> provide them a platform with a caveat.
>>>
>>> To _really_ verify that Veracode (or anyone) truly tests for OWASP Top 10
>>> or
>>> OWASP ASVS Level XYZ would be a huge burden on OWASP and still open to
>>> interpretation.  It is hard to see how this won't be quickly misused and
>>> then OWASP leadership will have to start making determinations of which
>>> organizations are in-line with OWASP's values.  We (Denim Group) include
>>> some reporting about OWASP Top 10 in our assessments reports.  I'd love
> to
>>> have a quote from Jeff Williams saying what a great job we do  :)  But
>>> that's not the right way to approach.  I'd rather provide guidance on how
>>> we
>>> do testing and why we think this is great via the Commercial Services
>>> Registry and let folks evaluate as they see fit.
>>>
>>> It would be hard enough to find the "OWASP voice" for general industry
>>> issues like certification.  When we mix vendor and independence issues
>>> into
>>> the discussion we're treading on dangerous ground.
>>>
>>> Thanks,
>>>
>>> Dan
>>>
>>>
>>>
>>> > I would support that at this point stage of OWASP Foundation.
>>> >
>>> > Take a look at the most current list:
>>> >
>>> > http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Su
>>> > pporters_.26_Individual_Members
>>> >
>>> > What can you say about EVERYONE?
>>> >
>>> > Since we do not endorse anyone, we can say these firms have
>>> > demonstrated an alliance to the goals and mission of OWASP.  Maybe we
>>> > send them a signed letter thanking them for the support
>>> >
>>> >
>>> >
>>> > On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
>>> >
>>> > > I'll follow up with them today about this and ask if they've made any
>>> > progress on their claimed transparency.  As I mentioned at the outset,
>>> > if they're not transparent about what they cover and what they do, then
>>> > I don't think the quote is justified.
>>> > >
>>> > > Tom, were you suggesting that we shouldn't do *any* quote about
>>> > companies that are non-members?
>>> > >
>>> > > --Jeff
>>> > >
>>> > >
>>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>>> > > Sent: Monday, June 28, 2010 9:53 AM
>>> > > To: Brennan - OWASP
>>> > > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
>>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
>>> > Veracode
>>> > >
>>> > > Sorry last email was sent to soon, the last comment I was making was
>>> > (new bit in bold):
>>> > >
>>> > > ... And yes, your list of firms around OWASP is just a small subset
>>> > of the companies that would want to play this game (note how Jeff's
>>> > quote (which eventually will become OWASP's quote) is sending a
>>> > 'parallel' message that 'some' product companies are dangerously
>>> > asserting Top 10 coverage and compliance
>>> > >
>>> > > Dinis Cruz
>>> > >
>>> > >
>>> > > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> > > We need to have both quotes
>>> > >
>>> > > one that is generic for each type of user or type of usage of OWASP
>>> > materials
>>> > > one that is specific to a particular scenario (like the Veracode one)
>>> > > For reference here is the original quote that Jeff proposed that we
>>> > gave Veracode:
>>> > >
>>> > > "The OWASP Foundation is pleased that Veracode will support the Top
>>> > 10. Managing application security requires an understanding of what has
>>> > been checked and what has not. Veracode's message of transparency and
>>> > combining both manual and automated verification techniques stand in
>>> > stark contrast to those product vendors that wrongly and dangerously
>>> > assert complete Top 10 coverage and compliance."
>>> > >
>>> > > I think this is a very important quote for OWASP to be providing and
>>> > we need to do it.
>>> > >
>>> > > BUT (as I said in previous emails) we need to do this under a clear
>>> > process and (in the beginning) under a 'this is an experiment' banner'
>>> > >
>>> > > And yes, your list of firms around OWASP is just a small subset of
>>> > the companies that would want to play this game (note how Jeff's quote
>>> > (which eventually will become OWASP's q
>>> > >
>>> > >
>>> > > Dinis Cruz
>>> > >
>>> > > Blog: http://diniscruz.blogspot.com
>>> > > Twitter: http://twitter.com/DinisCruz
>>> > > Web: http://www.owasp.org/index.php/O2
>>> > >
>>> > >
>>> > >
>>> > > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
>>> > > Sounds like you are suggesting a (3) generic or blanket quote to be
>>> > used by corporate, university and industry  sponsors in unification of
>>> > the Owasp mission
>>> > >
>>> > > Look at core firms look around the room
>>> > >
>>> > > Aspect
>>> > > WhiteHat
>>> > > Trustwave
>>> > > Denim
>>> > > Fortify
>>> > > Veracode
>>> > > Columbia
>>> > > NYC poly
>>> > > Salesforce
>>> > > <insert>....
>>> > >
>>> > > Keep it simple.  As a value of membership you get to use one of these
>>> > in releases as you are a recognized supporter.  If you want to hire or
>>> > retain PR company they would tell you the same ( I just called a buddy
>>> > in the PR industry for her thoughts )
>>> > >
>>> > > Tom Brennan
>>> > > 973-506-9303
>>> > >
>>> > >
>>> > > On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> > >
>>> > > I don't think that faireness is the issue here , but the process of
>>> > how we do this (and we need to look at this from OWASP's point if view,
>>> > not from veracode's)
>>> > >
>>> > > I don't see how we can deliver these 'official OWASP quotes' outside
>>> > of our website!
>>> > >
>>> > > What would be the delivery mechanism? An email from a board member?
>>> > An email from an OWASP employee? Is that email that will make it an
>>> > official OWASP quote?
>>> > >
>>> > > Some of these opinions have the potential to generate some
>>> > controversy (which in some cases is going to be a good thing), but we
>>> > have to make sure we have a solid and clear process.
>>> > >
>>> > > Given the urgency of the request and the fact that it is the first
>>> > one, we can explicitly shortcut some of the steps (like the public
>>> > consultation period)
>>> > >
>>> > > BUT we have to:
>>> > >
>>> > > a) make it come from a special page on the OWASP website
>>> > > b) present it as an experiment (where we are still trying to figure
>>> > out the rules of engagement)
>>> > >
>>> > > Dinis Cruz
>>> > >
>>> > > On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org>
>>> > wrote:
>>> > >
>>> > > It's not fair to preempt their press release.
>>> > >
>>> > > --Jeff
>>> > >
>>> > > Jeff Williams
>>> > > Aspect Security
>>> > > work: 410-707-1487
>>> > > main: 301-604-4882
>>> > >
>>> > >
>>> > >
>>> > > On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> > >
>>> > > Have they seen your quote?
>>> > >
>>> > > Due to the time restraints, then lets publish the first ideas on how
>>> > this could work in the Wiki at the same time that we give them the
>>> > quote.
>>> > >
>>> > > In fact they should get the quote from the Wiki
>>> > >
>>> > > Dinis Cruz
>>> > >
>>> > > On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org>
>>> > wrote:
>>> > >
>>> > > They're on kind of a short burn for this particular quote.  How about
>>> > we give them the quote and then put that infrastructure in place
>>> > afterwards.
>>> > >
>>> > > --Jeff
>>> > >
>>> > >
>>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>>> > > Sent: Friday, June 25, 2010 1:28 PM
>>> > > To: Jeff Williams
>>> > > Cc: OWASP Foundation Board List
>>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
>>> > Veracode
>>> > >
>>> > > Hi Jeff,
>>> > >
>>> > > I definitely think that OWASP should have 'on the record' quotes
>>> > about what 3rd parties are doing with OWASP's projects.
>>> > >
>>> > > In terms of workflow and rules, I would like to propose that:
>>> > >
>>> > >     * All quotes are placed in specific locations of the OWASP Wiki
>>> > (i.e. on a dedicated pages which could be global to OWASP or project
>>> > specific) where it is obvious that those are OWASP Official quotes
>>> > (this page should be protected from non-wiki-admin edits)
>>> > >     * For each 'official OWASP quote' there should be a period of
>>> > consultation where all interrest parties have the opportunity to 'on
>>> > the record' comment (namely OWASP Committee members and leaders)
>>> > >     * The first pass at the 'quote' should be made by the board or a
>>> > committee that we delegate the responsibility (maybe the Industry one
>>> > (when it becomes alive again))
>>> > >     * After the consultation period, the board has final decision on
>>> > the final wording of the text
>>> > >     * There are cases where the 'OWASP official quote' will probably
>>> > be 'OWASP has no comment on this topic'
>>> > > What do you think? We should use this Veracode request to try this
>>> > out (which again should be presented to our community as an
>>> > 'experiment')
>>> > >
>>> > > Dinis Cruz
>>> > >
>>> > >
>>> > > On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
>>> > > Here's the background.  Veracode is going to start supporting the
>>> > OWASP T10 output format.  They are making a big deal about how OWASP
>>> > has grown to achieve widespread industry acceptance, blah blah blah...
>>> > They are also pushing a clear message that gaining assurance involves a
>>> > combination of both automated and manual testing.
>>> > >
>>> > > On the call, I asked them whether they would be willing to be very
>>> > clear about exactly which of the OWASP T10 recommendations their
>>> > product/service verifies.  This was my minimum bar for participating.
>>> > At the high end, I asked if they would go through the ASVS and indicate
>>> > which of those they can verify.
>>> > >
>>> > > Essentially, all they're doing is what everyone does: say that their
>>> > service solves the OWASP T10.   I think we should ONLY support these
>>> > statements if the vendor is willing to FULLY disclose exactly what
>>> > their coverage is and how it is achieved.  That goes right to the core
>>> > of the issue we've been discussing.  I think we can support these
>>> > commercial vendors as long as they do their part in making security
>>> > *visible*.
>>> > >
>>> > > So they've asked me for a quote.  Assuming they disclose, I'm
>>> > thinking something like...
>>> > >
>>> > > "The OWASP Foundation is pleased that Veracode will support the Top
>>> > 10. Managing application security requires an understanding of what has
>>> > been checked and what has not. Veracode's message of transparency and
>>> > combining both manual and automated verification techniques stand in
>>> > stark contrast to those product vendors that wrongly and dangerously
>>> > assert complete Top 10 coverage and compliance."
>>> > >
>>> > > VOTE: Do you think OWASP should issue quotes like this when vendors
>>> > do something that 1) involves OWASP and 2) is basically in line with
>>> > our principles.  Or should we just stay clear.
>>> > >
>>> > > --Jeff
>>> > >
>>> > > Jeff Williams, Chair
>>> > > The OWASP Foundation
>>> > > work: 410-707-1487
>>> > > main: 301-604-4882
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > Owasp-board mailing list
>>> > > Owasp-board at lists.owasp.org
>>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > Owasp-board mailing list
>>> > > Owasp-board at lists.owasp.org
>>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>>> > >
>>> > >
>>> >
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>



More information about the Owasp-board mailing list