[Owasp-board] Need guidance on providing OWASP quote to Veracode
jeff.williams at owasp.org
Thu Jun 24 02:35:49 UTC 2010
Here's the background. Veracode is going to start supporting the OWASP T10
output format. They are making a big deal about how OWASP has grown to
achieve widespread industry acceptance, blah blah blah. They are also
pushing a clear message that gaining assurance involves a combination of
both automated and manual testing.
On the call, I asked them whether they would be willing to be very clear
about exactly which of the OWASP T10 recommendations their product/service
verifies. This was my minimum bar for participating. At the high end, I
asked if they would go through the ASVS and indicate which of those they can
Essentially, all they're doing is what everyone does: say that their service
solves the OWASP T10. I think we should ONLY support these statements if
the vendor is willing to FULLY disclose exactly what their coverage is and
how it is achieved. That goes right to the core of the issue we've been
discussing. I think we can support these commercial vendors as long as they
do their part in making security *visible*.
So they've asked me for a quote. Assuming they disclose, I'm thinking
"The OWASP Foundation is pleased that Veracode will support the Top 10.
Managing application security requires an understanding of what has been
checked and what has not. Veracode's message of transparency and combining
both manual and automated verification techniques stand in stark contrast to
those product vendors that wrongly and dangerously assert complete Top 10
coverage and compliance."
VOTE: Do you think OWASP should issue quotes like this when vendors do
something that 1) involves OWASP and 2) is basically in line with our
principles. Or should we just stay clear.
Jeff Williams, Chair
The OWASP Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board