[Owasp-board] Need guidance on providing OWASP quote to Veracode

Eoin eoin.keary at owasp.org
Thu Jun 24 09:34:00 UTC 2010


They are also sponsoring OWASP Ireland,...as us Europeans are saying "The
Americans are coming" [into the European market]

On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:

>  Here’s the background.  Veracode is going to start supporting the OWASP
> T10 output format.  They are making a big deal about how OWASP has grown to
> achieve widespread industry acceptance, blah blah blah…  They are also
> pushing a clear message that gaining assurance involves a combination of
> both automated and manual testing.
>
>
>
> On the call, I asked them whether they would be willing to be very clear
> about exactly which of the OWASP T10 recommendations their product/service
> verifies.  This was my minimum bar for participating.  At the high end, I
> asked if they would go through the ASVS and indicate which of those they can
> verify.
>
>
>
> Essentially, all they’re doing is what everyone does: say that their
> service solves the OWASP T10.   I think we should ONLY support these
> statements if the vendor is willing to FULLY disclose exactly what their
> coverage is and how it is achieved.  That goes right to the core of the
> issue we’ve been discussing.  I think we can support these commercial
> vendors as long as they do their part in making security **visible**.
>
>
>
> So they’ve asked me for a quote.  Assuming they disclose, I’m thinking
> something like…
>
>
>
> “The OWASP Foundation is pleased that Veracode will support the Top 10.
> Managing application security requires an understanding of what has been
> checked and what has not. Veracode’s message of transparency and combining
> both manual and automated verification techniques stand in stark contrast to
> those product vendors that wrongly and dangerously assert complete Top 10
> coverage and compliance.”
>
>
>
> VOTE: Do you think OWASP should issue quotes like this when vendors do
> something that 1) involves OWASP and 2) is basically in line with our
> principles.  Or should we just stay clear.
>
>
>
> --Jeff
>
>
>
> Jeff Williams, Chair
>
> The OWASP Foundation
>
> work: 410-707-1487
>
> main: 301-604-4882
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100624/c41abb41/attachment-0002.html>


More information about the Owasp-board mailing list