[Owasp-board] VOTE: OWASP Quotes

Eoin eoin.keary at owasp.org
Tue Jul 20 18:49:07 UTC 2010


(just back from vacation)
Are we referring to the commercial registry?
If so I am happy to vote yes assuming some of the governance we discussed is
taken into consideration.

-ek





On 19 July 2010 23:58, Jeff Williams <jeff.williams at owasp.org> wrote:

> All,
>
> I'd like to run this to ground. I think we've agreed that if we do this,
> there should be a centralized (experimental-for-now) quote page on the wiki
> that will allow for some notice-and-comment by OWASP Leaders before a quote
> is made official.
>
> So let's vote on whether to do this at all. Should OWASP produce quotes
> about things that help our mission, promote application security, promote
> OWASP, are consistent with our ethics and principles, are not biased
> towards
> a single vendor, and do not endorse a vendor. This might include commercial
> services like Veracode's service (see voting options below) (appreciate
> your
> input on this Dan)
>
> YES - sure, OWASP can issue quotes according to the rules above because
> it's
> good for the application security market overall, which helps our mission.
>
> NO - no way, OWASP should never issue quotes about commercial entities as
> it
> leads us down an awful sticky path that will tarnish our reputation
> forever.
>
> YESNC - OWASP should only issue quotes about non-commercial projects and
> efforts.
>
> I'll take the lead if we decide this is a good function for OWASP to do.
>
> Thanks,
>
> --Jeff
>
> Jeff Williams, Chair
> The OWASP Foundation
> work: 410-707-1487
> main: 301-604-4882
>
>
> -----Original Message-----
> From: Dan Cornell [mailto:dan at denimgroup.com]
> Sent: Monday, June 28, 2010 1:43 PM
> To: Brennan - OWASP; Jeff Williams
> Cc: 'dinis cruz'; 'OWASP Foundation Board List'; 'Cornell Dan'; Dan Cornell
> Subject: RE: [Owasp-board] Need guidance on providing OWASP quote to
> Veracode
>
>
> I might not know the full details of this current situation, but it seems
> like we might want to approach from the other direction via the OWASP
> Commercial Services Registry.  Organization can provide as much
> transparency
> and guidance on how their products and services relate to OWASP, but OWASP
> doesn't have to take a stand on how well they do what they say - just
> provide them a platform with a caveat.
>
> To _really_ verify that Veracode (or anyone) truly tests for OWASP Top 10
> or
> OWASP ASVS Level XYZ would be a huge burden on OWASP and still open to
> interpretation.  It is hard to see how this won't be quickly misused and
> then OWASP leadership will have to start making determinations of which
> organizations are in-line with OWASP's values.  We (Denim Group) include
> some reporting about OWASP Top 10 in our assessments reports.  I'd love to
> have a quote from Jeff Williams saying what a great job we do  :)  But
> that's not the right way to approach.  I'd rather provide guidance on how
> we
> do testing and why we think this is great via the Commercial Services
> Registry and let folks evaluate as they see fit.
>
> It would be hard enough to find the "OWASP voice" for general industry
> issues like certification.  When we mix vendor and independence issues into
> the discussion we're treading on dangerous ground.
>
> Thanks,
>
> Dan
>
>
>
> > I would support that at this point stage of OWASP Foundation.
> >
> > Take a look at the most current list:
> >
> > http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Su
> > pporters_.26_Individual_Members
> >
> > What can you say about EVERYONE?
> >
> > Since we do not endorse anyone, we can say these firms have
> > demonstrated an alliance to the goals and mission of OWASP.  Maybe we
> > send them a signed letter thanking them for the support
> >
> >
> >
> > On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
> >
> > > I'll follow up with them today about this and ask if they've made any
> > progress on their claimed transparency.  As I mentioned at the outset,
> > if they're not transparent about what they cover and what they do, then
> > I don't think the quote is justified.
> > >
> > > Tom, were you suggesting that we shouldn't do *any* quote about
> > companies that are non-members?
> > >
> > > --Jeff
> > >
> > >
> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
> > > Sent: Monday, June 28, 2010 9:53 AM
> > > To: Brennan - OWASP
> > > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
> > Veracode
> > >
> > > Sorry last email was sent to soon, the last comment I was making was
> > (new bit in bold):
> > >
> > > ... And yes, your list of firms around OWASP is just a small subset
> > of the companies that would want to play this game (note how Jeff's
> > quote (which eventually will become OWASP's quote) is sending a
> > 'parallel' message that 'some' product companies are dangerously
> > asserting Top 10 coverage and compliance
> > >
> > > Dinis Cruz
> > >
> > >
> > > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:
> > > We need to have both quotes
> > >
> > > one that is generic for each type of user or type of usage of OWASP
> > materials
> > > one that is specific to a particular scenario (like the Veracode one)
> > > For reference here is the original quote that Jeff proposed that we
> > gave Veracode:
> > >
> > > "The OWASP Foundation is pleased that Veracode will support the Top
> > 10. Managing application security requires an understanding of what has
> > been checked and what has not. Veracode's message of transparency and
> > combining both manual and automated verification techniques stand in
> > stark contrast to those product vendors that wrongly and dangerously
> > assert complete Top 10 coverage and compliance."
> > >
> > > I think this is a very important quote for OWASP to be providing and
> > we need to do it.
> > >
> > > BUT (as I said in previous emails) we need to do this under a clear
> > process and (in the beginning) under a 'this is an experiment' banner'
> > >
> > > And yes, your list of firms around OWASP is just a small subset of
> > the companies that would want to play this game (note how Jeff's quote
> > (which eventually will become OWASP's q
> > >
> > >
> > > Dinis Cruz
> > >
> > > Blog: http://diniscruz.blogspot.com
> > > Twitter: http://twitter.com/DinisCruz
> > > Web: http://www.owasp.org/index.php/O2
> > >
> > >
> > >
> > > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
> > > Sounds like you are suggesting a (3) generic or blanket quote to be
> > used by corporate, university and industry  sponsors in unification of
> > the Owasp mission
> > >
> > > Look at core firms look around the room
> > >
> > > Aspect
> > > WhiteHat
> > > Trustwave
> > > Denim
> > > Fortify
> > > Veracode
> > > Columbia
> > > NYC poly
> > > Salesforce
> > > <insert>....
> > >
> > > Keep it simple.  As a value of membership you get to use one of these
> > in releases as you are a recognized supporter.  If you want to hire or
> > retain PR company they would tell you the same ( I just called a buddy
> > in the PR industry for her thoughts )
> > >
> > > Tom Brennan
> > > 973-506-9303
> > >
> > >
> > > On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > >
> > > I don't think that faireness is the issue here , but the process of
> > how we do this (and we need to look at this from OWASP's point if view,
> > not from veracode's)
> > >
> > > I don't see how we can deliver these 'official OWASP quotes' outside
> > of our website!
> > >
> > > What would be the delivery mechanism? An email from a board member?
> > An email from an OWASP employee? Is that email that will make it an
> > official OWASP quote?
> > >
> > > Some of these opinions have the potential to generate some
> > controversy (which in some cases is going to be a good thing), but we
> > have to make sure we have a solid and clear process.
> > >
> > > Given the urgency of the request and the fact that it is the first
> > one, we can explicitly shortcut some of the steps (like the public
> > consultation period)
> > >
> > > BUT we have to:
> > >
> > > a) make it come from a special page on the OWASP website
> > > b) present it as an experiment (where we are still trying to figure
> > out the rules of engagement)
> > >
> > > Dinis Cruz
> > >
> > > On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org>
> > wrote:
> > >
> > > It's not fair to preempt their press release.
> > >
> > > --Jeff
> > >
> > > Jeff Williams
> > > Aspect Security
> > > work: 410-707-1487
> > > main: 301-604-4882
> > >
> > >
> > >
> > > On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > >
> > > Have they seen your quote?
> > >
> > > Due to the time restraints, then lets publish the first ideas on how
> > this could work in the Wiki at the same time that we give them the
> > quote.
> > >
> > > In fact they should get the quote from the Wiki
> > >
> > > Dinis Cruz
> > >
> > > On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org>
> > wrote:
> > >
> > > They're on kind of a short burn for this particular quote.  How about
> > we give them the quote and then put that infrastructure in place
> > afterwards.
> > >
> > > --Jeff
> > >
> > >
> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
> > > Sent: Friday, June 25, 2010 1:28 PM
> > > To: Jeff Williams
> > > Cc: OWASP Foundation Board List
> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
> > Veracode
> > >
> > > Hi Jeff,
> > >
> > > I definitely think that OWASP should have 'on the record' quotes
> > about what 3rd parties are doing with OWASP's projects.
> > >
> > > In terms of workflow and rules, I would like to propose that:
> > >
> > >     * All quotes are placed in specific locations of the OWASP Wiki
> > (i.e. on a dedicated pages which could be global to OWASP or project
> > specific) where it is obvious that those are OWASP Official quotes
> > (this page should be protected from non-wiki-admin edits)
> > >     * For each 'official OWASP quote' there should be a period of
> > consultation where all interrest parties have the opportunity to 'on
> > the record' comment (namely OWASP Committee members and leaders)
> > >     * The first pass at the 'quote' should be made by the board or a
> > committee that we delegate the responsibility (maybe the Industry one
> > (when it becomes alive again))
> > >     * After the consultation period, the board has final decision on
> > the final wording of the text
> > >     * There are cases where the 'OWASP official quote' will probably
> > be 'OWASP has no comment on this topic'
> > > What do you think? We should use this Veracode request to try this
> > out (which again should be presented to our community as an
> > 'experiment')
> > >
> > > Dinis Cruz
> > >
> > >
> > > On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
> > > Here's the background.  Veracode is going to start supporting the
> > OWASP T10 output format.  They are making a big deal about how OWASP
> > has grown to achieve widespread industry acceptance, blah blah blah...
> > They are also pushing a clear message that gaining assurance involves a
> > combination of both automated and manual testing.
> > >
> > > On the call, I asked them whether they would be willing to be very
> > clear about exactly which of the OWASP T10 recommendations their
> > product/service verifies.  This was my minimum bar for participating.
> > At the high end, I asked if they would go through the ASVS and indicate
> > which of those they can verify.
> > >
> > > Essentially, all they're doing is what everyone does: say that their
> > service solves the OWASP T10.   I think we should ONLY support these
> > statements if the vendor is willing to FULLY disclose exactly what
> > their coverage is and how it is achieved.  That goes right to the core
> > of the issue we've been discussing.  I think we can support these
> > commercial vendors as long as they do their part in making security
> > *visible*.
> > >
> > > So they've asked me for a quote.  Assuming they disclose, I'm
> > thinking something like...
> > >
> > > "The OWASP Foundation is pleased that Veracode will support the Top
> > 10. Managing application security requires an understanding of what has
> > been checked and what has not. Veracode's message of transparency and
> > combining both manual and automated verification techniques stand in
> > stark contrast to those product vendors that wrongly and dangerously
> > assert complete Top 10 coverage and compliance."
> > >
> > > VOTE: Do you think OWASP should issue quotes like this when vendors
> > do something that 1) involves OWASP and 2) is basically in line with
> > our principles.  Or should we just stay clear.
> > >
> > > --Jeff
> > >
> > > Jeff Williams, Chair
> > > The OWASP Foundation
> > > work: 410-707-1487
> > > main: 301-604-4882
> > >
> > >
> > > _______________________________________________
> > > Owasp-board mailing list
> > > Owasp-board at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-board
> > >
> > >
> > > _______________________________________________
> > > Owasp-board mailing list
> > > Owasp-board at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-board
> > >
> > >
> >
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100720/ab82ee28/attachment-0002.html>


More information about the Owasp-board mailing list