[Owasp-board] VOTE: OWASP Quotes

dinis cruz dinis.cruz at owasp.org
Tue Jul 20 22:52:27 UTC 2010


Eoin, read the thread again, this is NOT about the commercial registry, it
is about "OWASP Quotes"

(there are some overlaps but this is a very different beast)

Dinis Cruz

On 20 July 2010 19:49, Eoin <eoin.keary at owasp.org> wrote:

> (just back from vacation)
> Are we referring to the commercial registry?
> If so I am happy to vote yes assuming some of the governance we discussed
> is taken into consideration.
>
> -ek
>
>
>
>
>
> On 19 July 2010 23:58, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>> All,
>>
>> I'd like to run this to ground. I think we've agreed that if we do this,
>> there should be a centralized (experimental-for-now) quote page on the
>> wiki
>> that will allow for some notice-and-comment by OWASP Leaders before a
>> quote
>> is made official.
>>
>> So let's vote on whether to do this at all. Should OWASP produce quotes
>> about things that help our mission, promote application security, promote
>> OWASP, are consistent with our ethics and principles, are not biased
>> towards
>> a single vendor, and do not endorse a vendor. This might include
>> commercial
>> services like Veracode's service (see voting options below) (appreciate
>> your
>> input on this Dan)
>>
>> YES - sure, OWASP can issue quotes according to the rules above because
>> it's
>> good for the application security market overall, which helps our mission.
>>
>> NO - no way, OWASP should never issue quotes about commercial entities as
>> it
>> leads us down an awful sticky path that will tarnish our reputation
>> forever.
>>
>> YESNC - OWASP should only issue quotes about non-commercial projects and
>> efforts.
>>
>> I'll take the lead if we decide this is a good function for OWASP to do.
>>
>> Thanks,
>>
>> --Jeff
>>
>> Jeff Williams, Chair
>> The OWASP Foundation
>> work: 410-707-1487
>> main: 301-604-4882
>>
>>
>> -----Original Message-----
>> From: Dan Cornell [mailto:dan at denimgroup.com]
>> Sent: Monday, June 28, 2010 1:43 PM
>> To: Brennan - OWASP; Jeff Williams
>> Cc: 'dinis cruz'; 'OWASP Foundation Board List'; 'Cornell Dan'; Dan
>> Cornell
>> Subject: RE: [Owasp-board] Need guidance on providing OWASP quote to
>> Veracode
>>
>>
>> I might not know the full details of this current situation, but it seems
>> like we might want to approach from the other direction via the OWASP
>> Commercial Services Registry.  Organization can provide as much
>> transparency
>> and guidance on how their products and services relate to OWASP, but OWASP
>> doesn't have to take a stand on how well they do what they say - just
>> provide them a platform with a caveat.
>>
>> To _really_ verify that Veracode (or anyone) truly tests for OWASP Top 10
>> or
>> OWASP ASVS Level XYZ would be a huge burden on OWASP and still open to
>> interpretation.  It is hard to see how this won't be quickly misused and
>> then OWASP leadership will have to start making determinations of which
>> organizations are in-line with OWASP's values.  We (Denim Group) include
>> some reporting about OWASP Top 10 in our assessments reports.  I'd love to
>> have a quote from Jeff Williams saying what a great job we do  :)  But
>> that's not the right way to approach.  I'd rather provide guidance on how
>> we
>> do testing and why we think this is great via the Commercial Services
>> Registry and let folks evaluate as they see fit.
>>
>> It would be hard enough to find the "OWASP voice" for general industry
>> issues like certification.  When we mix vendor and independence issues
>> into
>> the discussion we're treading on dangerous ground.
>>
>> Thanks,
>>
>> Dan
>>
>>
>>
>> > I would support that at this point stage of OWASP Foundation.
>> >
>> > Take a look at the most current list:
>> >
>> > http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Su
>> > pporters_.26_Individual_Members
>> >
>> > What can you say about EVERYONE?
>> >
>> > Since we do not endorse anyone, we can say these firms have
>> > demonstrated an alliance to the goals and mission of OWASP.  Maybe we
>> > send them a signed letter thanking them for the support
>> >
>> >
>> >
>> > On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
>> >
>> > > I'll follow up with them today about this and ask if they've made any
>> > progress on their claimed transparency.  As I mentioned at the outset,
>> > if they're not transparent about what they cover and what they do, then
>> > I don't think the quote is justified.
>> > >
>> > > Tom, were you suggesting that we shouldn't do *any* quote about
>> > companies that are non-members?
>> > >
>> > > --Jeff
>> > >
>> > >
>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> > > Sent: Monday, June 28, 2010 9:53 AM
>> > > To: Brennan - OWASP
>> > > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
>> > Veracode
>> > >
>> > > Sorry last email was sent to soon, the last comment I was making was
>> > (new bit in bold):
>> > >
>> > > ... And yes, your list of firms around OWASP is just a small subset
>> > of the companies that would want to play this game (note how Jeff's
>> > quote (which eventually will become OWASP's quote) is sending a
>> > 'parallel' message that 'some' product companies are dangerously
>> > asserting Top 10 coverage and compliance
>> > >
>> > > Dinis Cruz
>> > >
>> > >
>> > > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:
>> > > We need to have both quotes
>> > >
>> > > one that is generic for each type of user or type of usage of OWASP
>> > materials
>> > > one that is specific to a particular scenario (like the Veracode one)
>> > > For reference here is the original quote that Jeff proposed that we
>> > gave Veracode:
>> > >
>> > > "The OWASP Foundation is pleased that Veracode will support the Top
>> > 10. Managing application security requires an understanding of what has
>> > been checked and what has not. Veracode's message of transparency and
>> > combining both manual and automated verification techniques stand in
>> > stark contrast to those product vendors that wrongly and dangerously
>> > assert complete Top 10 coverage and compliance."
>> > >
>> > > I think this is a very important quote for OWASP to be providing and
>> > we need to do it.
>> > >
>> > > BUT (as I said in previous emails) we need to do this under a clear
>> > process and (in the beginning) under a 'this is an experiment' banner'
>> > >
>> > > And yes, your list of firms around OWASP is just a small subset of
>> > the companies that would want to play this game (note how Jeff's quote
>> > (which eventually will become OWASP's q
>> > >
>> > >
>> > > Dinis Cruz
>> > >
>> > > Blog: http://diniscruz.blogspot.com
>> > > Twitter: http://twitter.com/DinisCruz
>> > > Web: http://www.owasp.org/index.php/O2
>> > >
>> > >
>> > >
>> > > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
>> > > Sounds like you are suggesting a (3) generic or blanket quote to be
>> > used by corporate, university and industry  sponsors in unification of
>> > the Owasp mission
>> > >
>> > > Look at core firms look around the room
>> > >
>> > > Aspect
>> > > WhiteHat
>> > > Trustwave
>> > > Denim
>> > > Fortify
>> > > Veracode
>> > > Columbia
>> > > NYC poly
>> > > Salesforce
>> > > <insert>....
>> > >
>> > > Keep it simple.  As a value of membership you get to use one of these
>> > in releases as you are a recognized supporter.  If you want to hire or
>> > retain PR company they would tell you the same ( I just called a buddy
>> > in the PR industry for her thoughts )
>> > >
>> > > Tom Brennan
>> > > 973-506-9303
>> > >
>> > >
>> > > On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> > >
>> > > I don't think that faireness is the issue here , but the process of
>> > how we do this (and we need to look at this from OWASP's point if view,
>> > not from veracode's)
>> > >
>> > > I don't see how we can deliver these 'official OWASP quotes' outside
>> > of our website!
>> > >
>> > > What would be the delivery mechanism? An email from a board member?
>> > An email from an OWASP employee? Is that email that will make it an
>> > official OWASP quote?
>> > >
>> > > Some of these opinions have the potential to generate some
>> > controversy (which in some cases is going to be a good thing), but we
>> > have to make sure we have a solid and clear process.
>> > >
>> > > Given the urgency of the request and the fact that it is the first
>> > one, we can explicitly shortcut some of the steps (like the public
>> > consultation period)
>> > >
>> > > BUT we have to:
>> > >
>> > > a) make it come from a special page on the OWASP website
>> > > b) present it as an experiment (where we are still trying to figure
>> > out the rules of engagement)
>> > >
>> > > Dinis Cruz
>> > >
>> > > On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org>
>> > wrote:
>> > >
>> > > It's not fair to preempt their press release.
>> > >
>> > > --Jeff
>> > >
>> > > Jeff Williams
>> > > Aspect Security
>> > > work: 410-707-1487
>> > > main: 301-604-4882
>> > >
>> > >
>> > >
>> > > On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> > >
>> > > Have they seen your quote?
>> > >
>> > > Due to the time restraints, then lets publish the first ideas on how
>> > this could work in the Wiki at the same time that we give them the
>> > quote.
>> > >
>> > > In fact they should get the quote from the Wiki
>> > >
>> > > Dinis Cruz
>> > >
>> > > On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org>
>> > wrote:
>> > >
>> > > They're on kind of a short burn for this particular quote.  How about
>> > we give them the quote and then put that infrastructure in place
>> > afterwards.
>> > >
>> > > --Jeff
>> > >
>> > >
>> > > From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> > > Sent: Friday, June 25, 2010 1:28 PM
>> > > To: Jeff Williams
>> > > Cc: OWASP Foundation Board List
>> > > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
>> > Veracode
>> > >
>> > > Hi Jeff,
>> > >
>> > > I definitely think that OWASP should have 'on the record' quotes
>> > about what 3rd parties are doing with OWASP's projects.
>> > >
>> > > In terms of workflow and rules, I would like to propose that:
>> > >
>> > >     * All quotes are placed in specific locations of the OWASP Wiki
>> > (i.e. on a dedicated pages which could be global to OWASP or project
>> > specific) where it is obvious that those are OWASP Official quotes
>> > (this page should be protected from non-wiki-admin edits)
>> > >     * For each 'official OWASP quote' there should be a period of
>> > consultation where all interrest parties have the opportunity to 'on
>> > the record' comment (namely OWASP Committee members and leaders)
>> > >     * The first pass at the 'quote' should be made by the board or a
>> > committee that we delegate the responsibility (maybe the Industry one
>> > (when it becomes alive again))
>> > >     * After the consultation period, the board has final decision on
>> > the final wording of the text
>> > >     * There are cases where the 'OWASP official quote' will probably
>> > be 'OWASP has no comment on this topic'
>> > > What do you think? We should use this Veracode request to try this
>> > out (which again should be presented to our community as an
>> > 'experiment')
>> > >
>> > > Dinis Cruz
>> > >
>> > >
>> > > On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
>> > > Here's the background.  Veracode is going to start supporting the
>> > OWASP T10 output format.  They are making a big deal about how OWASP
>> > has grown to achieve widespread industry acceptance, blah blah blah...
>> > They are also pushing a clear message that gaining assurance involves a
>> > combination of both automated and manual testing.
>> > >
>> > > On the call, I asked them whether they would be willing to be very
>> > clear about exactly which of the OWASP T10 recommendations their
>> > product/service verifies.  This was my minimum bar for participating.
>> > At the high end, I asked if they would go through the ASVS and indicate
>> > which of those they can verify.
>> > >
>> > > Essentially, all they're doing is what everyone does: say that their
>> > service solves the OWASP T10.   I think we should ONLY support these
>> > statements if the vendor is willing to FULLY disclose exactly what
>> > their coverage is and how it is achieved.  That goes right to the core
>> > of the issue we've been discussing.  I think we can support these
>> > commercial vendors as long as they do their part in making security
>> > *visible*.
>> > >
>> > > So they've asked me for a quote.  Assuming they disclose, I'm
>> > thinking something like...
>> > >
>> > > "The OWASP Foundation is pleased that Veracode will support the Top
>> > 10. Managing application security requires an understanding of what has
>> > been checked and what has not. Veracode's message of transparency and
>> > combining both manual and automated verification techniques stand in
>> > stark contrast to those product vendors that wrongly and dangerously
>> > assert complete Top 10 coverage and compliance."
>> > >
>> > > VOTE: Do you think OWASP should issue quotes like this when vendors
>> > do something that 1) involves OWASP and 2) is basically in line with
>> > our principles.  Or should we just stay clear.
>> > >
>> > > --Jeff
>> > >
>> > > Jeff Williams, Chair
>> > > The OWASP Foundation
>> > > work: 410-707-1487
>> > > main: 301-604-4882
>> > >
>> > >
>> > > _______________________________________________
>> > > Owasp-board mailing list
>> > > Owasp-board at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>> > >
>> > >
>> > > _______________________________________________
>> > > Owasp-board mailing list
>> > > Owasp-board at lists.owasp.org
>> > > https://lists.owasp.org/mailman/listinfo/owasp-board
>> > >
>> > >
>> >
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100720/64e148c7/attachment-0002.html>


More information about the Owasp-board mailing list