[Owasp-board] Need guidance on providing OWASP quote to Veracode

Brennan - OWASP tomb at owasp.org
Fri Jun 25 22:24:14 UTC 2010


Quotes to service providers should be provided to welcome new OWASP Supporters -- they seem to be missing from that list

http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members






On Jun 25, 2010, at 10:25 PM, Jeff Williams wrote:

> They’re on kind of a short burn for this particular quote.  How about we give them the quote and then put that infrastructure in place afterwards.
>  
> --Jeff
>  
>  
> From: dinis cruz [mailto:dinis.cruz at owasp.org] 
> Sent: Friday, June 25, 2010 1:28 PM
> To: Jeff Williams
> Cc: OWASP Foundation Board List
> Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to Veracode
>  
> Hi Jeff, 
>  
> I definitely think that OWASP should have 'on the record' quotes about what 3rd parties are doing with OWASP's projects.
>  
> In terms of workflow and rules, I would like to propose that:
>  
> 	• All quotes are placed in specific locations of the OWASP Wiki (i.e. on a dedicated pages which could be global to OWASP or project specific) where it is obvious that those are OWASP Official quotes (this page should be protected from non-wiki-admin edits)
> 	• For each 'official OWASP quote' there should be a period of  consultation where all interrest parties have the opportunity to 'on the record' comment (namely OWASP Committee members and leaders)
> 	• The first pass at the 'quote' should be made by the board or a committee that we delegate the responsibility (maybe the Industry one (when it becomes alive again))
> 	• After the consultation period, the board has final decision on the final wording of the text
> 	• There are cases where the 'OWASP official quote' will probably be 'OWASP has no comment on this topic'
> What do you think? We should use this Veracode request to try this out (which again should be presented to our community as an 'experiment')
> 
> Dinis Cruz
> 
> 
> 
> On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
> Here’s the background.  Veracode is going to start supporting the OWASP T10 output format.  They are making a big deal about how OWASP has grown to achieve widespread industry acceptance, blah blah blah…  They are also pushing a clear message that gaining assurance involves a combination of both automated and manual testing.
>  
> On the call, I asked them whether they would be willing to be very clear about exactly which of the OWASP T10 recommendations their product/service verifies.  This was my minimum bar for participating.  At the high end, I asked if they would go through the ASVS and indicate which of those they can verify.
>  
> Essentially, all they’re doing is what everyone does: say that their service solves the OWASP T10.   I think we should ONLY support these statements if the vendor is willing to FULLY disclose exactly what their coverage is and how it is achieved.  That goes right to the core of the issue we’ve been discussing.  I think we can support these commercial vendors as long as they do their part in making security *visible*.
>  
> So they’ve asked me for a quote.  Assuming they disclose, I’m thinking something like…
>  
> “The OWASP Foundation is pleased that Veracode will support the Top 10. Managing application security requires an understanding of what has been checked and what has not. Veracode’s message of transparency and combining both manual and automated verification techniques stand in stark contrast to those product vendors that wrongly and dangerously assert complete Top 10 coverage and compliance.”
>  
> VOTE: Do you think OWASP should issue quotes like this when vendors do something that 1) involves OWASP and 2) is basically in line with our principles.  Or should we just stay clear.
>  
> --Jeff
>  
> Jeff Williams, Chair
> The OWASP Foundation
> work: 410-707-1487
> main: 301-604-4882
>  
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
>  
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board




More information about the Owasp-board mailing list