[Owasp-board] Need guidance on providing OWASP quote to Veracode

Sat Jun 26 17:38:41 UTC 2010

It's not fair to preempt their press release.

--Jeff

Jeff Williams
Aspect Security
work: 410-707-1487
main: 301-604-4882

On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Have they seen your quote?
>
> Due to the time restraints, then lets publish the first ideas on how  
> this could work in the Wiki at the same time that we give them the  
> quote.
>
> In fact they should get the quote from the Wiki
>
> Dinis Cruz
>
> On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org>  
> wrote:
>
>> They’re on kind of a short burn for this particular quote.  How ab 
>> out we give them the quote and then put that infrastructure in pla 
>> ce afterwards.
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>>
>> From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> Sent: Friday, June 25, 2010 1:28 PM
>> To: Jeff Williams
>> Cc: OWASP Foundation Board List
>> Subject: Re: [Owasp-board] Need guidance on providing OWASP quote  
>> to Veracode
>>
>>
>>
>> Hi Jeff,
>>
>>
>>
>> I definitely think that OWASP should have 'on the record' quotes  
>> about what 3rd parties are doing with OWASP's projects.
>>
>>
>>
>> In terms of workflow and rules, I would like to propose that:
>>
>>
>>
>> All quotes are placed in specific locations of the OWASP Wiki (i.e.  
>> on a dedicated pages which could be global to OWASP or project  
>> specific) where it is obvious that those are OWASP Official       
>> quotes (this page should be protected from non-wiki-admin edits)
>> For each 'official OWASP quote' there should be a period of   
>> consultation where all interrest parties have the opportunity to  
>> 'on the record' comment (namely OWASP Committee members and leaders)
>> The first pass at the 'quote' should be made by the board or a  
>> committee that we delegate the responsibility (maybe the Industry  
>> one (when it becomes alive again))
>> After the consultation period, the board has final decision on the  
>> final wording of the text
>> There are cases where the 'OWASP official quote' will probably be  
>> 'OWASP has no comment on this topic'
>> What do you think? We should use this Veracode request to try this  
>> out (which again should be presented to our community as an  
>> 'experiment')
>>
>>
>> Dinis Cruz
>>
>>
>> On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
>>
>> Here’s the background.  Veracode is going to start supporting the  
>> OWASP T10 output format.  They are making a big deal about how OWA 
>> SP has grown to achieve widespread industry acceptance, blah blah  
>> blah…  They are also pushing a clear message that gaining assuranc 
>> e involves a combination of both automated and manual testing.
>>
>>
>>
>> On the call, I asked them whether they would be willing to be very  
>> clear about exactly which of the OWASP T10 recommendations their  
>> product/service verifies.  This was my minimum bar for  
>> participating.  At the high end, I asked if they would go through  
>> the ASVS and indicate which of those they can verify.
>>
>>
>>
>> Essentially, all they’re doing is what everyone does: say that the 
>> ir service solves the OWASP T10.   I think we should ONLY support  
>> these statements if the vendor is willing to FULLY disclose exactl 
>> y what their coverage is and how it is achieved.  That goes right  
>> to the core of the issue we’ve been discussing.  I think we can su 
>> pport these commercial vendors as long as they do their part in ma 
>> king security *visible*.
>>
>>
>>
>> So they’ve asked me for a quote.  Assuming they disclose, I’m  
>> thinking something like…
>>
>>
>>
>> “The OWASP Foundation is pleased that Veracode will support the To 
>> p 10. Managing application security requires an understanding of w 
>> hat has been checked and what has not. Veracode’s message of trans 
>> parency and combining both manual and automated verification techn 
>> iques stand in stark contrast to those product vendors that wrongl 
>> y and dangerously assert complete Top 10 coverage and compliance.”
>>
>>
>>
>> VOTE: Do you think OWASP should issue quotes like this when vendors  
>> do something that 1) involves OWASP and 2) is basically in line  
>> with our principles.  Or should we just stay clear.
>>
>>
>>
>> --Jeff
>>
>>
>>
>> Jeff Williams, Chair
>>
>> The OWASP Foundation
>>
>> work: 410-707-1487
>>
>> main: 301-604-4882
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100626/959bc3cd/attachment-0002.html>