[Owasp-board] VOTE: OWASP Quotes

Matt Tesauro matt.tesauro at owasp.org
Tue Jul 20 17:29:00 UTC 2010


I am a somewhat hedged yes on this.

I agree with the general point but I too have concerns about the 
slippery slope aspect of this proposal.  We need to stay well shy of 
anything that looks like an endorsement.

The devil will be in the details - particularly the vetting process for 
any of these quotes.

Still, I can see several places where this would be useful to the OWASP 
mission:
(1) As Dinis said, recognizing contributions like Boeings recent one 
(might even inspire a membership renewal for that organization)

(2) The Vericode example from Jeff

(3) I see this being a great way to recognize institutions which support 
OWASP but cannot, for various reasons, become corporate members.  For 
example, government agencies typically cannot join groups like OWASP 
(especially those outside the US), but may actively support OWASP 
internally and to their constituents.  I brought this up to the 
membership committee a while back and this may be a great way for OWASP 
to publicly recognize the supporters in this position.

I would also like to see some details about how this is going to be 
fleshed out operationally.  Considering what I've seen Jeff do in the 
past, I suspect this will done well within the OWASP values.

Do you think we could get something mocked up by the next board meeting? 
  Will Blackhat/DefCon interrupt your progress?

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/20/10 8:57 AM, dinis cruz wrote:
> At the moment the decision/question is IF we should be doing this or NOT.
>
> The operational impact (and the operational rules) are something that
> will need to be sorted out in the next couple months (as we try this out).
>
> We should have a review of this process in 3/6 months time and by then
> it should be obvious how this work, what type of effort is required and
> if that effort makes sense
>
> Dinis Cruz
>
>
> On 20 July 2010 14:40, Seba <seba at owasp.org <mailto:seba at owasp.org>> wrote:
>
>     ok, you have a point. With the highlighting this can be interpreted
>     differently, and then I would move towards YESNC or YES.
>
>     I have to think about this: can we have an idea on operational impact
>     and put this up for vote during the next board meeting (Mon Aug-2 ?)
>
>     --Seba
>
>
>
>
>     On Tue, Jul 20, 2010 at 3:26 PM, dinis cruz <dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>> wrote:
>      > See I actually see this the other way around. This is not about
>     OWASP giving
>      > quotes to other companies, but about OWASP controlling the
>     message (which is
>      > something that we don't do at the moment). It is also a way to
>     gradually
>      > increase the pressure on commercial vendors around the OWASP and
>     WebAppSec
>      > community to do the right thing (remember that we control the
>     message here
>      > and can use it strategically to change the market)
>      > This is the opportunity that OWASP has to set 'on the record'
>     comments about
>      > what is going on. Yes sometimes this will mean that we should say
>     "that
>      > company or group of companies over there is doing a good job
>     around OWASP
>      > Project XYZ", BUT it also allows us to say "OWASP does not agree
>     with what
>      > is going on over there" or "That is for the market to decide" or
>     "project
>      > XYZ is current NOT correct represented/understood by the industry
>     (for
>      > example Top 10 used as a standard)"
>      > In fact, If we don't at least have this facility (to create this
>     quotes)
>      > then what we are left with is even worse. The only people
>     'talking' will be
>      > the vendors and their marketing departments.
>      > Also note that this also applies to other types of
>      > companies, organizations and communities that are part of the OWASP
>      > community. If we vote NO on this one, then does that mean that we
>     can't
>      > produce a quote on Boing's recent copyright assignment to OWASP, or
>      > SalesForce OWASP Security Ecosystem participation or Facebook's EASPI
>      > reference implementation?
>      > And If you vote NO, you will not be able to complain in the
>     future about an
>      > abuse of the OWASP brand and projects, since there is nothing we
>     can't do
>      > about it.
>      > Look at Jeff's quote again (my highlights in bold):
>      > "So let's vote on whether to do this at all. Should OWASP produce
>      > quotes about things that help our mission, promote application
>     security,
>      > promote
>      > OWASP, are consistent with our ethics and principles, are not biased
>      > towards a single vendor, and do not endorse a vendor. This might
>     include
>      > commercial
>      > services like Veracode's service"
>      > My only issues are operational and those will be sorted in time
>     (and via the
>      > reaction of the community). And again, this is an experiment that
>     can be
>      > voted out in the future (if it has been proved that it doesn't work)
>      > In some ways this is actually providing these external companies
>      > and organizations a WAY to work with OWASP. At the moment we have
>     no clear
>      > guidance for how to behave around OWASP and my fear of not doing
>     this, is
>      > that we will be sending a message to the rest of our community
>     that "you
>      > cannot work with OWASP and you are free to come up with what ever
>     your
>      > marketing department thinks they can get away with"
>      > Veracode's case was actually a good example of this starting to
>     work well,
>      > since for the first time we had a vendor 'talking' to OWASP and
>     trying to
>      > figure out the best way forward. And if you look at Jeff's
>     original proposal
>      > comment it was 'loaded' in a very powerful way, since it was
>     sending an
>      > indirect message to the other players in that industry that they
>     should be
>      > doing the same think.
>      > The final point I would like to make, is that these quotes could
>     become a
>      > great 'asset' for OWASP (and if you look around we don't have
>     THAT many
>      > assets), since the moment companies play the game, is the moment
>     those
>      > companies have vested interrest in continuing their positive
>     behaviour (or
>      > risk the backlack of having a 'negative quote' or 'quote removal'
>     problem)
>      > Dinis Cruz
>      >
>      > On 20 July 2010 06:03, Seba <seba at owasp.org
>     <mailto:seba at owasp.org>> wrote:
>      >>
>      >> I've understood it this way. It's just too slippery a road to have
>      >> owasp put out quotes on external organisations' commercial offerings
>      >>
>      >> to the extreme: should owasp 'quote' they like the esapi services
>      >> company x, y or z is offering. or O2?
>      >> I think these companies can do that themselves, and if they are
>     smart
>      >> link themselves through membership / direct project or chapter
>      >> sponsoring
>      >>
>      >> I think it is more 'loaded' to put out an owasp quote than to have a
>      >> list (moderated or not) of organisations performing services
>     linked to
>      >> owasp projects
>      >>
>      >> --Seba
>      >>
>      >> On Tue, Jul 20, 2010 at 5:56 AM, Jeff Williams
>     <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>>
>      >> wrote:
>      >> > Just to be totally clear here...
>      >> >
>      >> > 1. As I've explained before, I believe we need to unite our
>     ecosystem
>      >> > (open
>      >> > and commercial) if we are to make progress against insecure
>     software.
>      >> > Not by
>      >> > compromising our principles, but by figuring how open and
>     commercial can
>      >> > live together peacefully. This proposal is a much less
>     dangerous way to
>      >> > start than the others we've discussed.
>      >> >
>      >> > 2. We wouldn't be endorsing or recommending anything. At most
>     it would
>      >> > be an
>      >> > indirect promotion of an organization, by complimenting (or
>     criticizing)
>      >> > something that they are doing that is directly beneficial (or
>     harmful)
>      >> > to
>      >> > our mission.
>      >> >
>      >> > Ordinarily, I wouldn't interfere with a vote in progress, but
>     Seba's
>      >> > note
>      >> > made me think that perhaps I hadn't explained well enough.
>       Thanks for
>      >> > your
>      >> > patience.
>      >> >
>      >> > --Jeff
>      >> >
>      >> > -----Original Message-----
>      >> > From: sebastien.deleersnyder at gmail.com
>     <mailto:sebastien.deleersnyder at gmail.com>
>      >> > [mailto:sebastien.deleersnyder at gmail.com
>     <mailto:sebastien.deleersnyder at gmail.com>] On Behalf Of Seba
>      >> > Sent: Monday, July 19, 2010 11:30 PM
>      >> > To: dinis cruz
>      >> > Cc: Jeff Williams; OWASP Foundation Board List; Dan Cornell;
>     Cornell Dan
>      >> > Subject: Re: [Owasp-board] VOTE: OWASP Quotes
>      >> >
>      >> > NO, which is in line with our mission "... OWASP Foundation
>     does not
>      >> > endorse or recommend commercial products or services allowing our
>      >> > community to remain vendor agnostic with the collective wisdom
>     of the
>      >> > best minds in application security worldwide."
>      >> >
>      >> > I don't see the value for OWASP to promote commercial services
>     from
>      >> > vendors, which they are perfectly able to do themselves.
>      >> >
>      >> > --Seba
>      >> >
>      >> >
>      >> > On Tue, Jul 20, 2010 at 2:29 AM, dinis cruz
>     <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>>
>      >> > wrote:
>      >> >> YES, we need to give this a go since it is critical for
>     OWASP's future
>      >> > that
>      >> >> we (eventually) get a model that works and is accepted fully
>     by the
>      >> >> community (in fact we are already late on this, but it's
>     better late
>      >> >> than
>      >> >> ever).
>      >> >> There are a number of Governance issues that we need to fine
>     tune (and
>      >> >> create guidelines for), but for the key
>     decision regarding OWASP's 'on
>      >> >> the
>      >> >> record' quotes, it is an absolute YES from me
>      >> >> Thanks Jeff for keeping this alive (I actually though
>     yesterday about
>      >> >> pinging you about this :)  )
>      >> >>
>      >> >> Dinis Cruz
>      >> >>
>      >> >>
>      >> >>
>      >> >>
>      >> >> On 19 July 2010 23:58, Jeff Williams <jeff.williams at owasp.org
>     <mailto:jeff.williams at owasp.org>> wrote:
>      >> >>>
>      >> >>> All,
>      >> >>>
>      >> >>> I'd like to run this to ground. I think we've agreed that if
>     we do
>      >> >>> this,
>      >> >>> there should be a centralized (experimental-for-now) quote
>     page on the
>      >> >>> wiki
>      >> >>> that will allow for some notice-and-comment by OWASP Leaders
>     before a
>      >> >>> quote
>      >> >>> is made official.
>      >> >>>
>      >> >>> So let's vote on whether to do this at all. Should OWASP produce
>      >> >>> quotes
>      >> >>> about things that help our mission, promote application
>     security,
>      >> >>> promote
>      >> >>> OWASP, are consistent with our ethics and principles, are
>     not biased
>      >> >>> towards
>      >> >>> a single vendor, and do not endorse a vendor. This might include
>      >> >>> commercial
>      >> >>> services like Veracode's service (see voting options below)
>      >> >>> (appreciate
>      >> >>> your
>      >> >>> input on this Dan)
>      >> >>>
>      >> >>> YES - sure, OWASP can issue quotes according to the rules above
>      >> >>> because
>      >> >>> it's
>      >> >>> good for the application security market overall, which
>     helps our
>      >> > mission.
>      >> >>>
>      >> >>> NO - no way, OWASP should never issue quotes about
>     commercial entities
>      >> >>> as
>      >> >>> it
>      >> >>> leads us down an awful sticky path that will tarnish our
>     reputation
>      >> >>> forever.
>      >> >>>
>      >> >>> YESNC - OWASP should only issue quotes about non-commercial
>     projects
>      >> >>> and
>      >> >>> efforts.
>      >> >>>
>      >> >>> I'll take the lead if we decide this is a good function for
>     OWASP to
>      >> >>> do.
>      >> >>>
>      >> >>> Thanks,
>      >> >>>
>      >> >>> --Jeff
>      >> >>>
>      >> >>> Jeff Williams, Chair
>      >> >>> The OWASP Foundation
>      >> >>> work: 410-707-1487
>      >> >>> main: 301-604-4882
>      >> >>>
>      >> >>>
>      >> >>> -----Original Message-----
>      >> >>> From: Dan Cornell [mailto:dan at denimgroup.com
>     <mailto:dan at denimgroup.com>]
>      >> >>> Sent: Monday, June 28, 2010 1:43 PM
>      >> >>> To: Brennan - OWASP; Jeff Williams
>      >> >>> Cc: 'dinis cruz'; 'OWASP Foundation Board List'; 'Cornell
>     Dan'; Dan
>      >> >>> Cornell
>      >> >>> Subject: RE: [Owasp-board] Need guidance on providing OWASP
>     quote to
>      >> >>> Veracode
>      >> >>>
>      >> >>>
>      >> >>> I might not know the full details of this current situation,
>     but it
>      >> >>> seems
>      >> >>> like we might want to approach from the other direction via
>     the OWASP
>      >> >>> Commercial Services Registry.  Organization can provide as much
>      >> >>> transparency
>      >> >>> and guidance on how their products and services relate to
>     OWASP, but
>      >> > OWASP
>      >> >>> doesn't have to take a stand on how well they do what they
>     say - just
>      >> >>> provide them a platform with a caveat.
>      >> >>>
>      >> >>> To _really_ verify that Veracode (or anyone) truly tests for
>     OWASP Top
>      >> >>> 10
>      >> >>> or
>      >> >>> OWASP ASVS Level XYZ would be a huge burden on OWASP and
>     still open to
>      >> >>> interpretation.  It is hard to see how this won't be quickly
>     misused
>      >> >>> and
>      >> >>> then OWASP leadership will have to start making
>     determinations of
>      >> >>> which
>      >> >>> organizations are in-line with OWASP's values.  We (Denim Group)
>      >> >>> include
>      >> >>> some reporting about OWASP Top 10 in our assessments
>     reports.  I'd
>      >> >>> love
>      >> > to
>      >> >>> have a quote from Jeff Williams saying what a great job we
>     do  :)  But
>      >> >>> that's not the right way to approach.  I'd rather provide
>     guidance on
>      >> >>> how
>      >> >>> we
>      >> >>> do testing and why we think this is great via the Commercial
>     Services
>      >> >>> Registry and let folks evaluate as they see fit.
>      >> >>>
>      >> >>> It would be hard enough to find the "OWASP voice" for
>     general industry
>      >> >>> issues like certification.  When we mix vendor and
>     independence issues
>      >> >>> into
>      >> >>> the discussion we're treading on dangerous ground.
>      >> >>>
>      >> >>> Thanks,
>      >> >>>
>      >> >>> Dan
>      >> >>>
>      >> >>>
>      >> >>>
>      >> >>> > I would support that at this point stage of OWASP Foundation.
>      >> >>> >
>      >> >>> > Take a look at the most current list:
>      >> >>> >
>      >> >>> >
>      >> >>> >
>     http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Su
>      >> >>> > pporters_.26_Individual_Members
>      >> >>> >
>      >> >>> > What can you say about EVERYONE?
>      >> >>> >
>      >> >>> > Since we do not endorse anyone, we can say these firms have
>      >> >>> > demonstrated an alliance to the goals and mission of
>     OWASP.  Maybe
>      >> >>> > we
>      >> >>> > send them a signed letter thanking them for the support
>      >> >>> >
>      >> >>> >
>      >> >>> >
>      >> >>> > On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
>      >> >>> >
>      >> >>> > > I'll follow up with them today about this and ask if
>     they've made
>      >> >>> > > any
>      >> >>> > progress on their claimed transparency.  As I mentioned at the
>      >> >>> > outset,
>      >> >>> > if they're not transparent about what they cover and what
>     they do,
>      >> >>> > then
>      >> >>> > I don't think the quote is justified.
>      >> >>> > >
>      >> >>> > > Tom, were you suggesting that we shouldn't do *any*
>     quote about
>      >> >>> > companies that are non-members?
>      >> >>> > >
>      >> >>> > > --Jeff
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>]
>      >> >>> > > Sent: Monday, June 28, 2010 9:53 AM
>      >> >>> > > To: Brennan - OWASP
>      >> >>> > > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
>      >> >>> > > Subject: Re: [Owasp-board] Need guidance on providing
>     OWASP quote
>      >> >>> > > to
>      >> >>> > Veracode
>      >> >>> > >
>      >> >>> > > Sorry last email was sent to soon, the last comment I
>     was making
>      >> >>> > > was
>      >> >>> > (new bit in bold):
>      >> >>> > >
>      >> >>> > > ... And yes, your list of firms around OWASP is just a small
>      >> >>> > > subset
>      >> >>> > of the companies that would want to play this game (note
>     how Jeff's
>      >> >>> > quote (which eventually will become OWASP's quote) is
>     sending a
>      >> >>> > 'parallel' message that 'some' product companies are
>     dangerously
>      >> >>> > asserting Top 10 coverage and compliance
>      >> >>> > >
>      >> >>> > > Dinis Cruz
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>> wrote:
>      >> >>> > > We need to have both quotes
>      >> >>> > >
>      >> >>> > > one that is generic for each type of user or type of
>     usage of
>      >> >>> > > OWASP
>      >> >>> > materials
>      >> >>> > > one that is specific to a particular scenario (like the
>     Veracode
>      >> >>> > > one)
>      >> >>> > > For reference here is the original quote that Jeff
>     proposed that
>      >> >>> > > we
>      >> >>> > gave Veracode:
>      >> >>> > >
>      >> >>> > > "The OWASP Foundation is pleased that Veracode will
>     support the
>      >> >>> > > Top
>      >> >>> > 10. Managing application security requires an
>     understanding of what
>      >> >>> > has
>      >> >>> > been checked and what has not. Veracode's message of
>     transparency
>      >> >>> > and
>      >> >>> > combining both manual and automated verification
>     techniques stand in
>      >> >>> > stark contrast to those product vendors that wrongly and
>     dangerously
>      >> >>> > assert complete Top 10 coverage and compliance."
>      >> >>> > >
>      >> >>> > > I think this is a very important quote for OWASP to be
>     providing
>      >> >>> > > and
>      >> >>> > we need to do it.
>      >> >>> > >
>      >> >>> > > BUT (as I said in previous emails) we need to do this
>     under a
>      >> >>> > > clear
>      >> >>> > process and (in the beginning) under a 'this is an experiment'
>      >> >>> > banner'
>      >> >>> > >
>      >> >>> > > And yes, your list of firms around OWASP is just a small
>     subset of
>      >> >>> > the companies that would want to play this game (note how
>     Jeff's
>      >> >>> > quote
>      >> >>> > (which eventually will become OWASP's q
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > Dinis Cruz
>      >> >>> > >
>      >> >>> > > Blog: http://diniscruz.blogspot.com
>      >> >>> > > Twitter: http://twitter.com/DinisCruz
>      >> >>> > > Web: http://www.owasp.org/index.php/O2
>      >> >>> > >
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org
>     <mailto:tomb at owasp.org>> wrote:
>      >> >>> > > Sounds like you are suggesting a (3) generic or blanket
>     quote to
>      >> >>> > > be
>      >> >>> > used by corporate, university and industry  sponsors in
>     unification
>      >> >>> > of
>      >> >>> > the Owasp mission
>      >> >>> > >
>      >> >>> > > Look at core firms look around the room
>      >> >>> > >
>      >> >>> > > Aspect
>      >> >>> > > WhiteHat
>      >> >>> > > Trustwave
>      >> >>> > > Denim
>      >> >>> > > Fortify
>      >> >>> > > Veracode
>      >> >>> > > Columbia
>      >> >>> > > NYC poly
>      >> >>> > > Salesforce
>      >> >>> > > <insert>....
>      >> >>> > >
>      >> >>> > > Keep it simple.  As a value of membership you get to use
>     one of
>      >> >>> > > these
>      >> >>> > in releases as you are a recognized supporter.  If you
>     want to hire
>      >> >>> > or
>      >> >>> > retain PR company they would tell you the same ( I just
>     called a
>      >> >>> > buddy
>      >> >>> > in the PR industry for her thoughts )
>      >> >>> > >
>      >> >>> > > Tom Brennan
>      >> >>> > > 973-506-9303
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > On Jun 28, 2010, at 9:14 AM, dinis cruz
>     <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>>
>      >> >>> > > wrote:
>      >> >>> > >
>      >> >>> > > I don't think that faireness is the issue here , but the
>     process
>      >> >>> > > of
>      >> >>> > how we do this (and we need to look at this from OWASP's
>     point if
>      >> >>> > view,
>      >> >>> > not from veracode's)
>      >> >>> > >
>      >> >>> > > I don't see how we can deliver these 'official OWASP quotes'
>      >> >>> > > outside
>      >> >>> > of our website!
>      >> >>> > >
>      >> >>> > > What would be the delivery mechanism? An email from a board
>      >> >>> > > member?
>      >> >>> > An email from an OWASP employee? Is that email that will
>     make it an
>      >> >>> > official OWASP quote?
>      >> >>> > >
>      >> >>> > > Some of these opinions have the potential to generate some
>      >> >>> > controversy (which in some cases is going to be a good
>     thing), but
>      >> >>> > we
>      >> >>> > have to make sure we have a solid and clear process.
>      >> >>> > >
>      >> >>> > > Given the urgency of the request and the fact that it is
>     the first
>      >> >>> > one, we can explicitly shortcut some of the steps (like
>     the public
>      >> >>> > consultation period)
>      >> >>> > >
>      >> >>> > > BUT we have to:
>      >> >>> > >
>      >> >>> > > a) make it come from a special page on the OWASP website
>      >> >>> > > b) present it as an experiment (where we are still trying to
>      >> >>> > > figure
>      >> >>> > out the rules of engagement)
>      >> >>> > >
>      >> >>> > > Dinis Cruz
>      >> >>> > >
>      >> >>> > > On 26 Jun 2010, at 18:38, Jeff Williams
>     <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>>
>      >> >>> > wrote:
>      >> >>> > >
>      >> >>> > > It's not fair to preempt their press release.
>      >> >>> > >
>      >> >>> > > --Jeff
>      >> >>> > >
>      >> >>> > > Jeff Williams
>      >> >>> > > Aspect Security
>      >> >>> > > work: 410-707-1487
>      >> >>> > > main: 301-604-4882
>      >> >>> > >
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > On Jun 25, 2010, at 4:52 PM, dinis cruz
>     <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>>
>      >> >>> > > wrote:
>      >> >>> > >
>      >> >>> > > Have they seen your quote?
>      >> >>> > >
>      >> >>> > > Due to the time restraints, then lets publish the first
>     ideas on
>      >> >>> > > how
>      >> >>> > this could work in the Wiki at the same time that we give
>     them the
>      >> >>> > quote.
>      >> >>> > >
>      >> >>> > > In fact they should get the quote from the Wiki
>      >> >>> > >
>      >> >>> > > Dinis Cruz
>      >> >>> > >
>      >> >>> > > On 25 Jun 2010, at 21:25, Jeff Williams
>     <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>>
>      >> >>> > wrote:
>      >> >>> > >
>      >> >>> > > They're on kind of a short burn for this particular
>     quote.  How
>      >> >>> > > about
>      >> >>> > we give them the quote and then put that infrastructure in
>     place
>      >> >>> > afterwards.
>      >> >>> > >
>      >> >>> > > --Jeff
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>]
>      >> >>> > > Sent: Friday, June 25, 2010 1:28 PM
>      >> >>> > > To: Jeff Williams
>      >> >>> > > Cc: OWASP Foundation Board List
>      >> >>> > > Subject: Re: [Owasp-board] Need guidance on providing
>     OWASP quote
>      >> >>> > > to
>      >> >>> > Veracode
>      >> >>> > >
>      >> >>> > > Hi Jeff,
>      >> >>> > >
>      >> >>> > > I definitely think that OWASP should have 'on the
>     record' quotes
>      >> >>> > about what 3rd parties are doing with OWASP's projects.
>      >> >>> > >
>      >> >>> > > In terms of workflow and rules, I would like to propose
>     that:
>      >> >>> > >
>      >> >>> > >     * All quotes are placed in specific locations of the
>     OWASP
>      >> >>> > > Wiki
>      >> >>> > (i.e. on a dedicated pages which could be global to OWASP
>     or project
>      >> >>> > specific) where it is obvious that those are OWASP
>     Official quotes
>      >> >>> > (this page should be protected from non-wiki-admin edits)
>      >> >>> > >     * For each 'official OWASP quote' there should be a
>     period of
>      >> >>> > consultation where all interrest parties have the
>     opportunity to 'on
>      >> >>> > the record' comment (namely OWASP Committee members and
>     leaders)
>      >> >>> > >     * The first pass at the 'quote' should be made by
>     the board or
>      >> >>> > > a
>      >> >>> > committee that we delegate the responsibility (maybe the
>     Industry
>      >> >>> > one
>      >> >>> > (when it becomes alive again))
>      >> >>> > >     * After the consultation period, the board has final
>     decision
>      >> >>> > > on
>      >> >>> > the final wording of the text
>      >> >>> > >     * There are cases where the 'OWASP official quote' will
>      >> >>> > > probably
>      >> >>> > be 'OWASP has no comment on this topic'
>      >> >>> > > What do you think? We should use this Veracode request
>     to try this
>      >> >>> > out (which again should be presented to our community as an
>      >> >>> > 'experiment')
>      >> >>> > >
>      >> >>> > > Dinis Cruz
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > On 24 June 2010 03:35, Jeff Williams
>     <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>>
>      >> >>> > > wrote:
>      >> >>> > > Here's the background.  Veracode is going to start
>     supporting the
>      >> >>> > OWASP T10 output format.  They are making a big deal about
>     how OWASP
>      >> >>> > has grown to achieve widespread industry acceptance, blah blah
>      >> >>> > blah...
>      >> >>> > They are also pushing a clear message that gaining assurance
>      >> >>> > involves a
>      >> >>> > combination of both automated and manual testing.
>      >> >>> > >
>      >> >>> > > On the call, I asked them whether they would be willing
>     to be very
>      >> >>> > clear about exactly which of the OWASP T10 recommendations
>     their
>      >> >>> > product/service verifies.  This was my minimum bar for
>      >> >>> > participating.
>      >> >>> > At the high end, I asked if they would go through the ASVS and
>      >> >>> > indicate
>      >> >>> > which of those they can verify.
>      >> >>> > >
>      >> >>> > > Essentially, all they're doing is what everyone does:
>     say that
>      >> >>> > > their
>      >> >>> > service solves the OWASP T10.   I think we should ONLY
>     support these
>      >> >>> > statements if the vendor is willing to FULLY disclose
>     exactly what
>      >> >>> > their coverage is and how it is achieved.  That goes right
>     to the
>      >> >>> > core
>      >> >>> > of the issue we've been discussing.  I think we can
>     support these
>      >> >>> > commercial vendors as long as they do their part in making
>     security
>      >> >>> > *visible*.
>      >> >>> > >
>      >> >>> > > So they've asked me for a quote.  Assuming they
>     disclose, I'm
>      >> >>> > thinking something like...
>      >> >>> > >
>      >> >>> > > "The OWASP Foundation is pleased that Veracode will
>     support the
>      >> >>> > > Top
>      >> >>> > 10. Managing application security requires an
>     understanding of what
>      >> >>> > has
>      >> >>> > been checked and what has not. Veracode's message of
>     transparency
>      >> >>> > and
>      >> >>> > combining both manual and automated verification
>     techniques stand in
>      >> >>> > stark contrast to those product vendors that wrongly and
>     dangerously
>      >> >>> > assert complete Top 10 coverage and compliance."
>      >> >>> > >
>      >> >>> > > VOTE: Do you think OWASP should issue quotes like this when
>      >> >>> > > vendors
>      >> >>> > do something that 1) involves OWASP and 2) is basically in
>     line with
>      >> >>> > our principles.  Or should we just stay clear.
>      >> >>> > >
>      >> >>> > > --Jeff
>      >> >>> > >
>      >> >>> > > Jeff Williams, Chair
>      >> >>> > > The OWASP Foundation
>      >> >>> > > work: 410-707-1487
>      >> >>> > > main: 301-604-4882
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > _______________________________________________
>      >> >>> > > Owasp-board mailing list
>      >> >>> > > Owasp-board at lists.owasp.org
>     <mailto:Owasp-board at lists.owasp.org>
>      >> >>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>      >> >>> > >
>      >> >>> > >
>      >> >>> > > _______________________________________________
>      >> >>> > > Owasp-board mailing list
>      >> >>> > > Owasp-board at lists.owasp.org
>     <mailto:Owasp-board at lists.owasp.org>
>      >> >>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>      >> >>> > >
>      >> >>> > >
>      >> >>> >
>      >> >>>
>      >> >>>
>      >> >>
>      >> >>
>      >> >> _______________________________________________
>      >> >> Owasp-board mailing list
>      >> >> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>      >> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>      >> >>
>      >> >>
>      >> >
>      >> >
>      >
>      >
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list