[Owasp-board] VOTE: OWASP Quotes

Seba seba at owasp.org
Tue Jul 20 13:40:24 UTC 2010


ok, you have a point. With the highlighting this can be interpreted
differently, and then I would move towards YESNC or YES.

I have to think about this: can we have an idea on operational impact
and put this up for vote during the next board meeting (Mon Aug-2 ?)

--Seba




On Tue, Jul 20, 2010 at 3:26 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> See I actually see this the other way around. This is not about OWASP giving
> quotes to other companies, but about OWASP controlling the message (which is
> something that we don't do at the moment). It is also a way to gradually
> increase the pressure on commercial vendors around the OWASP and WebAppSec
> community to do the right thing (remember that we control the message here
> and can use it strategically to change the market)
> This is the opportunity that OWASP has to set 'on the record' comments about
> what is going on. Yes sometimes this will mean that we should say "that
> company or group of companies over there is doing a good job around OWASP
> Project XYZ", BUT it also allows us to say "OWASP does not agree with what
> is going on over there" or "That is for the market to decide" or "project
> XYZ is current NOT correct represented/understood by the industry (for
> example Top 10 used as a standard)"
> In fact, If we don't at least have this facility (to create this quotes)
> then what we are left with is even worse. The only people 'talking' will be
> the vendors and their marketing departments.
> Also note that this also applies to other types of
> companies, organizations and communities that are part of the OWASP
> community. If we vote NO on this one, then does that mean that we can't
> produce a quote on Boing's recent copyright assignment to OWASP, or
> SalesForce OWASP Security Ecosystem participation or Facebook's EASPI
> reference implementation?
> And If you vote NO, you will not be able to complain in the future about an
> abuse of the OWASP brand and projects, since there is nothing we can't do
> about it.
> Look at Jeff's quote again (my highlights in bold):
> "So let's vote on whether to do this at all. Should OWASP produce
> quotes about things that help our mission, promote application security,
> promote
> OWASP, are consistent with our ethics and principles, are not biased
> towards a single vendor, and do not endorse a vendor. This might include
> commercial
> services like Veracode's service"
> My only issues are operational and those will be sorted in time (and via the
> reaction of the community). And again, this is an experiment that can be
> voted out in the future (if it has been proved that it doesn't work)
> In some ways this is actually providing these external companies
> and organizations a WAY to work with OWASP. At the moment we have no clear
> guidance for how to behave around OWASP and my fear of not doing this, is
> that we will be sending a message to the rest of our community that "you
> cannot work with OWASP and you are free to come up with what ever your
> marketing department thinks they can get away with"
> Veracode's case was actually a good example of this starting to work well,
> since for the first time we had a vendor 'talking' to OWASP and trying to
> figure out the best way forward. And if you look at Jeff's original proposal
> comment it was 'loaded' in a very powerful way, since it was sending an
> indirect message to the other players in that industry that they should be
> doing the same think.
> The final point I would like to make, is that these quotes could become a
> great 'asset' for OWASP (and if you look around we don't have THAT many
> assets), since the moment companies play the game, is the moment those
> companies have vested interrest in continuing their positive behaviour (or
> risk the backlack of having a 'negative quote' or 'quote removal' problem)
> Dinis Cruz
>
> On 20 July 2010 06:03, Seba <seba at owasp.org> wrote:
>>
>> I've understood it this way. It's just too slippery a road to have
>> owasp put out quotes on external organisations' commercial offerings
>>
>> to the extreme: should owasp 'quote' they like the esapi services
>> company x, y or z is offering. or O2?
>> I think these companies can do that themselves, and if they are smart
>> link themselves through membership / direct project or chapter
>> sponsoring
>>
>> I think it is more 'loaded' to put out an owasp quote than to have a
>> list (moderated or not) of organisations performing services linked to
>> owasp projects
>>
>> --Seba
>>
>> On Tue, Jul 20, 2010 at 5:56 AM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>> > Just to be totally clear here...
>> >
>> > 1. As I've explained before, I believe we need to unite our ecosystem
>> > (open
>> > and commercial) if we are to make progress against insecure software.
>> > Not by
>> > compromising our principles, but by figuring how open and commercial can
>> > live together peacefully. This proposal is a much less dangerous way to
>> > start than the others we've discussed.
>> >
>> > 2. We wouldn't be endorsing or recommending anything. At most it would
>> > be an
>> > indirect promotion of an organization, by complimenting (or criticizing)
>> > something that they are doing that is directly beneficial (or harmful)
>> > to
>> > our mission.
>> >
>> > Ordinarily, I wouldn't interfere with a vote in progress, but Seba's
>> > note
>> > made me think that perhaps I hadn't explained well enough.  Thanks for
>> > your
>> > patience.
>> >
>> > --Jeff
>> >
>> > -----Original Message-----
>> > From: sebastien.deleersnyder at gmail.com
>> > [mailto:sebastien.deleersnyder at gmail.com] On Behalf Of Seba
>> > Sent: Monday, July 19, 2010 11:30 PM
>> > To: dinis cruz
>> > Cc: Jeff Williams; OWASP Foundation Board List; Dan Cornell; Cornell Dan
>> > Subject: Re: [Owasp-board] VOTE: OWASP Quotes
>> >
>> > NO, which is in line with our mission "... OWASP Foundation does not
>> > endorse or recommend commercial products or services allowing our
>> > community to remain vendor agnostic with the collective wisdom of the
>> > best minds in application security worldwide."
>> >
>> > I don't see the value for OWASP to promote commercial services from
>> > vendors, which they are perfectly able to do themselves.
>> >
>> > --Seba
>> >
>> >
>> > On Tue, Jul 20, 2010 at 2:29 AM, dinis cruz <dinis.cruz at owasp.org>
>> > wrote:
>> >> YES, we need to give this a go since it is critical for OWASP's future
>> > that
>> >> we (eventually) get a model that works and is accepted fully by the
>> >> community (in fact we are already late on this, but it's better late
>> >> than
>> >> ever).
>> >> There are a number of Governance issues that we need to fine tune (and
>> >> create guidelines for), but for the key decision regarding OWASP's 'on
>> >> the
>> >> record' quotes, it is an absolute YES from me
>> >> Thanks Jeff for keeping this alive (I actually though yesterday about
>> >> pinging you about this :)  )
>> >>
>> >> Dinis Cruz
>> >>
>> >>
>> >>
>> >>
>> >> On 19 July 2010 23:58, Jeff Williams <jeff.williams at owasp.org> wrote:
>> >>>
>> >>> All,
>> >>>
>> >>> I'd like to run this to ground. I think we've agreed that if we do
>> >>> this,
>> >>> there should be a centralized (experimental-for-now) quote page on the
>> >>> wiki
>> >>> that will allow for some notice-and-comment by OWASP Leaders before a
>> >>> quote
>> >>> is made official.
>> >>>
>> >>> So let's vote on whether to do this at all. Should OWASP produce
>> >>> quotes
>> >>> about things that help our mission, promote application security,
>> >>> promote
>> >>> OWASP, are consistent with our ethics and principles, are not biased
>> >>> towards
>> >>> a single vendor, and do not endorse a vendor. This might include
>> >>> commercial
>> >>> services like Veracode's service (see voting options below)
>> >>> (appreciate
>> >>> your
>> >>> input on this Dan)
>> >>>
>> >>> YES - sure, OWASP can issue quotes according to the rules above
>> >>> because
>> >>> it's
>> >>> good for the application security market overall, which helps our
>> > mission.
>> >>>
>> >>> NO - no way, OWASP should never issue quotes about commercial entities
>> >>> as
>> >>> it
>> >>> leads us down an awful sticky path that will tarnish our reputation
>> >>> forever.
>> >>>
>> >>> YESNC - OWASP should only issue quotes about non-commercial projects
>> >>> and
>> >>> efforts.
>> >>>
>> >>> I'll take the lead if we decide this is a good function for OWASP to
>> >>> do.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> --Jeff
>> >>>
>> >>> Jeff Williams, Chair
>> >>> The OWASP Foundation
>> >>> work: 410-707-1487
>> >>> main: 301-604-4882
>> >>>
>> >>>
>> >>> -----Original Message-----
>> >>> From: Dan Cornell [mailto:dan at denimgroup.com]
>> >>> Sent: Monday, June 28, 2010 1:43 PM
>> >>> To: Brennan - OWASP; Jeff Williams
>> >>> Cc: 'dinis cruz'; 'OWASP Foundation Board List'; 'Cornell Dan'; Dan
>> >>> Cornell
>> >>> Subject: RE: [Owasp-board] Need guidance on providing OWASP quote to
>> >>> Veracode
>> >>>
>> >>>
>> >>> I might not know the full details of this current situation, but it
>> >>> seems
>> >>> like we might want to approach from the other direction via the OWASP
>> >>> Commercial Services Registry.  Organization can provide as much
>> >>> transparency
>> >>> and guidance on how their products and services relate to OWASP, but
>> > OWASP
>> >>> doesn't have to take a stand on how well they do what they say - just
>> >>> provide them a platform with a caveat.
>> >>>
>> >>> To _really_ verify that Veracode (or anyone) truly tests for OWASP Top
>> >>> 10
>> >>> or
>> >>> OWASP ASVS Level XYZ would be a huge burden on OWASP and still open to
>> >>> interpretation.  It is hard to see how this won't be quickly misused
>> >>> and
>> >>> then OWASP leadership will have to start making determinations of
>> >>> which
>> >>> organizations are in-line with OWASP's values.  We (Denim Group)
>> >>> include
>> >>> some reporting about OWASP Top 10 in our assessments reports.  I'd
>> >>> love
>> > to
>> >>> have a quote from Jeff Williams saying what a great job we do  :)  But
>> >>> that's not the right way to approach.  I'd rather provide guidance on
>> >>> how
>> >>> we
>> >>> do testing and why we think this is great via the Commercial Services
>> >>> Registry and let folks evaluate as they see fit.
>> >>>
>> >>> It would be hard enough to find the "OWASP voice" for general industry
>> >>> issues like certification.  When we mix vendor and independence issues
>> >>> into
>> >>> the discussion we're treading on dangerous ground.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Dan
>> >>>
>> >>>
>> >>>
>> >>> > I would support that at this point stage of OWASP Foundation.
>> >>> >
>> >>> > Take a look at the most current list:
>> >>> >
>> >>> >
>> >>> > http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Su
>> >>> > pporters_.26_Individual_Members
>> >>> >
>> >>> > What can you say about EVERYONE?
>> >>> >
>> >>> > Since we do not endorse anyone, we can say these firms have
>> >>> > demonstrated an alliance to the goals and mission of OWASP.  Maybe
>> >>> > we
>> >>> > send them a signed letter thanking them for the support
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
>> >>> >
>> >>> > > I'll follow up with them today about this and ask if they've made
>> >>> > > any
>> >>> > progress on their claimed transparency.  As I mentioned at the
>> >>> > outset,
>> >>> > if they're not transparent about what they cover and what they do,
>> >>> > then
>> >>> > I don't think the quote is justified.
>> >>> > >
>> >>> > > Tom, were you suggesting that we shouldn't do *any* quote about
>> >>> > companies that are non-members?
>> >>> > >
>> >>> > > --Jeff
>> >>> > >
>> >>> > >
>> >>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> >>> > > Sent: Monday, June 28, 2010 9:53 AM
>> >>> > > To: Brennan - OWASP
>> >>> > > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
>> >>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote
>> >>> > > to
>> >>> > Veracode
>> >>> > >
>> >>> > > Sorry last email was sent to soon, the last comment I was making
>> >>> > > was
>> >>> > (new bit in bold):
>> >>> > >
>> >>> > > ... And yes, your list of firms around OWASP is just a small
>> >>> > > subset
>> >>> > of the companies that would want to play this game (note how Jeff's
>> >>> > quote (which eventually will become OWASP's quote) is sending a
>> >>> > 'parallel' message that 'some' product companies are dangerously
>> >>> > asserting Top 10 coverage and compliance
>> >>> > >
>> >>> > > Dinis Cruz
>> >>> > >
>> >>> > >
>> >>> > > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:
>> >>> > > We need to have both quotes
>> >>> > >
>> >>> > > one that is generic for each type of user or type of usage of
>> >>> > > OWASP
>> >>> > materials
>> >>> > > one that is specific to a particular scenario (like the Veracode
>> >>> > > one)
>> >>> > > For reference here is the original quote that Jeff proposed that
>> >>> > > we
>> >>> > gave Veracode:
>> >>> > >
>> >>> > > "The OWASP Foundation is pleased that Veracode will support the
>> >>> > > Top
>> >>> > 10. Managing application security requires an understanding of what
>> >>> > has
>> >>> > been checked and what has not. Veracode's message of transparency
>> >>> > and
>> >>> > combining both manual and automated verification techniques stand in
>> >>> > stark contrast to those product vendors that wrongly and dangerously
>> >>> > assert complete Top 10 coverage and compliance."
>> >>> > >
>> >>> > > I think this is a very important quote for OWASP to be providing
>> >>> > > and
>> >>> > we need to do it.
>> >>> > >
>> >>> > > BUT (as I said in previous emails) we need to do this under a
>> >>> > > clear
>> >>> > process and (in the beginning) under a 'this is an experiment'
>> >>> > banner'
>> >>> > >
>> >>> > > And yes, your list of firms around OWASP is just a small subset of
>> >>> > the companies that would want to play this game (note how Jeff's
>> >>> > quote
>> >>> > (which eventually will become OWASP's q
>> >>> > >
>> >>> > >
>> >>> > > Dinis Cruz
>> >>> > >
>> >>> > > Blog: http://diniscruz.blogspot.com
>> >>> > > Twitter: http://twitter.com/DinisCruz
>> >>> > > Web: http://www.owasp.org/index.php/O2
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
>> >>> > > Sounds like you are suggesting a (3) generic or blanket quote to
>> >>> > > be
>> >>> > used by corporate, university and industry  sponsors in unification
>> >>> > of
>> >>> > the Owasp mission
>> >>> > >
>> >>> > > Look at core firms look around the room
>> >>> > >
>> >>> > > Aspect
>> >>> > > WhiteHat
>> >>> > > Trustwave
>> >>> > > Denim
>> >>> > > Fortify
>> >>> > > Veracode
>> >>> > > Columbia
>> >>> > > NYC poly
>> >>> > > Salesforce
>> >>> > > <insert>....
>> >>> > >
>> >>> > > Keep it simple.  As a value of membership you get to use one of
>> >>> > > these
>> >>> > in releases as you are a recognized supporter.  If you want to hire
>> >>> > or
>> >>> > retain PR company they would tell you the same ( I just called a
>> >>> > buddy
>> >>> > in the PR industry for her thoughts )
>> >>> > >
>> >>> > > Tom Brennan
>> >>> > > 973-506-9303
>> >>> > >
>> >>> > >
>> >>> > > On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org>
>> >>> > > wrote:
>> >>> > >
>> >>> > > I don't think that faireness is the issue here , but the process
>> >>> > > of
>> >>> > how we do this (and we need to look at this from OWASP's point if
>> >>> > view,
>> >>> > not from veracode's)
>> >>> > >
>> >>> > > I don't see how we can deliver these 'official OWASP quotes'
>> >>> > > outside
>> >>> > of our website!
>> >>> > >
>> >>> > > What would be the delivery mechanism? An email from a board
>> >>> > > member?
>> >>> > An email from an OWASP employee? Is that email that will make it an
>> >>> > official OWASP quote?
>> >>> > >
>> >>> > > Some of these opinions have the potential to generate some
>> >>> > controversy (which in some cases is going to be a good thing), but
>> >>> > we
>> >>> > have to make sure we have a solid and clear process.
>> >>> > >
>> >>> > > Given the urgency of the request and the fact that it is the first
>> >>> > one, we can explicitly shortcut some of the steps (like the public
>> >>> > consultation period)
>> >>> > >
>> >>> > > BUT we have to:
>> >>> > >
>> >>> > > a) make it come from a special page on the OWASP website
>> >>> > > b) present it as an experiment (where we are still trying to
>> >>> > > figure
>> >>> > out the rules of engagement)
>> >>> > >
>> >>> > > Dinis Cruz
>> >>> > >
>> >>> > > On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org>
>> >>> > wrote:
>> >>> > >
>> >>> > > It's not fair to preempt their press release.
>> >>> > >
>> >>> > > --Jeff
>> >>> > >
>> >>> > > Jeff Williams
>> >>> > > Aspect Security
>> >>> > > work: 410-707-1487
>> >>> > > main: 301-604-4882
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > > On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org>
>> >>> > > wrote:
>> >>> > >
>> >>> > > Have they seen your quote?
>> >>> > >
>> >>> > > Due to the time restraints, then lets publish the first ideas on
>> >>> > > how
>> >>> > this could work in the Wiki at the same time that we give them the
>> >>> > quote.
>> >>> > >
>> >>> > > In fact they should get the quote from the Wiki
>> >>> > >
>> >>> > > Dinis Cruz
>> >>> > >
>> >>> > > On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org>
>> >>> > wrote:
>> >>> > >
>> >>> > > They're on kind of a short burn for this particular quote.  How
>> >>> > > about
>> >>> > we give them the quote and then put that infrastructure in place
>> >>> > afterwards.
>> >>> > >
>> >>> > > --Jeff
>> >>> > >
>> >>> > >
>> >>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> >>> > > Sent: Friday, June 25, 2010 1:28 PM
>> >>> > > To: Jeff Williams
>> >>> > > Cc: OWASP Foundation Board List
>> >>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote
>> >>> > > to
>> >>> > Veracode
>> >>> > >
>> >>> > > Hi Jeff,
>> >>> > >
>> >>> > > I definitely think that OWASP should have 'on the record' quotes
>> >>> > about what 3rd parties are doing with OWASP's projects.
>> >>> > >
>> >>> > > In terms of workflow and rules, I would like to propose that:
>> >>> > >
>> >>> > >     * All quotes are placed in specific locations of the OWASP
>> >>> > > Wiki
>> >>> > (i.e. on a dedicated pages which could be global to OWASP or project
>> >>> > specific) where it is obvious that those are OWASP Official quotes
>> >>> > (this page should be protected from non-wiki-admin edits)
>> >>> > >     * For each 'official OWASP quote' there should be a period of
>> >>> > consultation where all interrest parties have the opportunity to 'on
>> >>> > the record' comment (namely OWASP Committee members and leaders)
>> >>> > >     * The first pass at the 'quote' should be made by the board or
>> >>> > > a
>> >>> > committee that we delegate the responsibility (maybe the Industry
>> >>> > one
>> >>> > (when it becomes alive again))
>> >>> > >     * After the consultation period, the board has final decision
>> >>> > > on
>> >>> > the final wording of the text
>> >>> > >     * There are cases where the 'OWASP official quote' will
>> >>> > > probably
>> >>> > be 'OWASP has no comment on this topic'
>> >>> > > What do you think? We should use this Veracode request to try this
>> >>> > out (which again should be presented to our community as an
>> >>> > 'experiment')
>> >>> > >
>> >>> > > Dinis Cruz
>> >>> > >
>> >>> > >
>> >>> > > On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org>
>> >>> > > wrote:
>> >>> > > Here's the background.  Veracode is going to start supporting the
>> >>> > OWASP T10 output format.  They are making a big deal about how OWASP
>> >>> > has grown to achieve widespread industry acceptance, blah blah
>> >>> > blah...
>> >>> > They are also pushing a clear message that gaining assurance
>> >>> > involves a
>> >>> > combination of both automated and manual testing.
>> >>> > >
>> >>> > > On the call, I asked them whether they would be willing to be very
>> >>> > clear about exactly which of the OWASP T10 recommendations their
>> >>> > product/service verifies.  This was my minimum bar for
>> >>> > participating.
>> >>> > At the high end, I asked if they would go through the ASVS and
>> >>> > indicate
>> >>> > which of those they can verify.
>> >>> > >
>> >>> > > Essentially, all they're doing is what everyone does: say that
>> >>> > > their
>> >>> > service solves the OWASP T10.   I think we should ONLY support these
>> >>> > statements if the vendor is willing to FULLY disclose exactly what
>> >>> > their coverage is and how it is achieved.  That goes right to the
>> >>> > core
>> >>> > of the issue we've been discussing.  I think we can support these
>> >>> > commercial vendors as long as they do their part in making security
>> >>> > *visible*.
>> >>> > >
>> >>> > > So they've asked me for a quote.  Assuming they disclose, I'm
>> >>> > thinking something like...
>> >>> > >
>> >>> > > "The OWASP Foundation is pleased that Veracode will support the
>> >>> > > Top
>> >>> > 10. Managing application security requires an understanding of what
>> >>> > has
>> >>> > been checked and what has not. Veracode's message of transparency
>> >>> > and
>> >>> > combining both manual and automated verification techniques stand in
>> >>> > stark contrast to those product vendors that wrongly and dangerously
>> >>> > assert complete Top 10 coverage and compliance."
>> >>> > >
>> >>> > > VOTE: Do you think OWASP should issue quotes like this when
>> >>> > > vendors
>> >>> > do something that 1) involves OWASP and 2) is basically in line with
>> >>> > our principles.  Or should we just stay clear.
>> >>> > >
>> >>> > > --Jeff
>> >>> > >
>> >>> > > Jeff Williams, Chair
>> >>> > > The OWASP Foundation
>> >>> > > work: 410-707-1487
>> >>> > > main: 301-604-4882
>> >>> > >
>> >>> > >
>> >>> > > _______________________________________________
>> >>> > > Owasp-board mailing list
>> >>> > > Owasp-board at lists.owasp.org
>> >>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>> > >
>> >>> > >
>> >>> > > _______________________________________________
>> >>> > > Owasp-board mailing list
>> >>> > > Owasp-board at lists.owasp.org
>> >>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>> > >
>> >>> > >
>> >>> >
>> >>>
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>
>> >>
>> >
>> >
>
>



More information about the Owasp-board mailing list