[Owasp-board] Need guidance on providing OWASP quote to Veracode

Jeff Williams jeff.williams at owasp.org
Sat Jun 26 17:39:13 UTC 2010


That's a damn good point

--Jeff

Jeff Williams
Aspect Security
work: 410-707-1487
main: 301-604-4882



On Jun 25, 2010, at 6:24 PM, Brennan - OWASP <tomb at owasp.org> wrote:

> Quotes to service providers should be provided to welcome new OWASP  
> Supporters -- they seem to be missing from that list
>
> http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members
>
>
>
>
>
>
> On Jun 25, 2010, at 10:25 PM, Jeff Williams wrote:
>
>> They’re on kind of a short burn for this particular quote.  How ab 
>> out we give them the quote and then put that infrastructure in pla 
>> ce afterwards.
>>
>> --Jeff
>>
>>
>> From: dinis cruz [mailto:dinis.cruz at owasp.org]
>> Sent: Friday, June 25, 2010 1:28 PM
>> To: Jeff Williams
>> Cc: OWASP Foundation Board List
>> Subject: Re: [Owasp-board] Need guidance on providing OWASP quote  
>> to Veracode
>>
>> Hi Jeff,
>>
>> I definitely think that OWASP should have 'on the record' quotes  
>> about what 3rd parties are doing with OWASP's projects.
>>
>> In terms of workflow and rules, I would like to propose that:
>>
>>    • All quotes are placed in specific locations of the OWASP Wiki 
>>  (i.e. on a dedicated pages which could be global to OWASP or proj 
>> ect specific) where it is obvious that those are OWASP Official qu 
>> otes (this page should be protected from non-wiki-admin edits)
>>    • For each 'official OWASP quote' there should be a period of   
>> consultation where all interrest parties have the opportunity to ' 
>> on the record' comment (namely OWASP Committee members and leaders)
>>    • The first pass at the 'quote' should be made by the board or  
>> a committee that we delegate the responsibility (maybe the Industr 
>> y one (when it becomes alive again))
>>    • After the consultation period, the board has final decision o 
>> n the final wording of the text
>>    • There are cases where the 'OWASP official quote' will probabl 
>> y be 'OWASP has no comment on this topic'
>> What do you think? We should use this Veracode request to try this  
>> out (which again should be presented to our community as an  
>> 'experiment')
>>
>> Dinis Cruz
>>
>>
>>
>> On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
>> Here’s the background.  Veracode is going to start supporting the  
>> OWASP T10 output format.  They are making a big deal about how OWA 
>> SP has grown to achieve widespread industry acceptance, blah blah  
>> blah…  They are also pushing a clear message that gaining assuranc 
>> e involves a combination of both automated and manual testing.
>>
>> On the call, I asked them whether they would be willing to be very  
>> clear about exactly which of the OWASP T10 recommendations their  
>> product/service verifies.  This was my minimum bar for  
>> participating.  At the high end, I asked if they would go through  
>> the ASVS and indicate which of those they can verify.
>>
>> Essentially, all they’re doing is what everyone does: say that the 
>> ir service solves the OWASP T10.   I think we should ONLY support  
>> these statements if the vendor is willing to FULLY disclose exactl 
>> y what their coverage is and how it is achieved.  That goes right  
>> to the core of the issue we’ve been discussing.  I think we can su 
>> pport these commercial vendors as long as they do their part in ma 
>> king security *visible*.
>>
>> So they’ve asked me for a quote.  Assuming they disclose, I’m  
>> thinking something like…
>>
>> “The OWASP Foundation is pleased that Veracode will support the To 
>> p 10. Managing application security requires an understanding of w 
>> hat has been checked and what has not. Veracode’s message of trans 
>> parency and combining both manual and automated verification techn 
>> iques stand in stark contrast to those product vendors that wrongl 
>> y and dangerously assert complete Top 10 coverage and compliance.”
>>
>> VOTE: Do you think OWASP should issue quotes like this when vendors  
>> do something that 1) involves OWASP and 2) is basically in line  
>> with our principles.  Or should we just stay clear.
>>
>> --Jeff
>>
>> Jeff Williams, Chair
>> The OWASP Foundation
>> work: 410-707-1487
>> main: 301-604-4882
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>



More information about the Owasp-board mailing list