[Owasp-board] Need guidance on providing OWASP quote to Veracode

Matt Tesauro matt.tesauro at owasp.org
Sun Jun 27 05:31:05 UTC 2010 

I second this approach.  Not only does it provide a concrete benefit to 
our corporate members, it provides a good incentive to "play nice".  It 
is in alignment with my recommendation to give new/renewing corporate 
members a small blurb in the OWASP Newsletter.

The one point of caution is to avoid the appearance of $5K donation = 
positive comment from OWASP.  It seems to me this can be handled by 
carefully documenting how this will work for all corporate members then 
sticking to that.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 6/25/10 5:24 PM, Brennan - OWASP wrote:
> Quotes to service providers should be provided to welcome new OWASP
> Supporters -- they seem to be missing from that list
>
> http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members
>
>
>
>
>
>
>
> On Jun 25, 2010, at 10:25 PM, Jeff Williams wrote:
>
>> They’re on kind of a short burn for this particular quote.  How
>> about we give them the quote and then put that infrastructure in
>> place afterwards.
>>
>> --Jeff
>>
>>
>> From: dinis cruz [mailto:dinis.cruz at owasp.org] Sent: Friday, June
>> 25, 2010 1:28 PM To: Jeff Williams Cc: OWASP Foundation Board List
>> Subject: Re: [Owasp-board] Need guidance on providing OWASP quote
>> to Veracode
>>
>> Hi Jeff,
>>
>> I definitely think that OWASP should have 'on the record' quotes
>> about what 3rd parties are doing with OWASP's projects.
>>
>> In terms of workflow and rules, I would like to propose that:
>>
>> • All quotes are placed in specific locations of the OWASP Wiki
>> (i.e. on a dedicated pages which could be global to OWASP or
>> project specific) where it is obvious that those are OWASP Official
>> quotes (this page should be protected from non-wiki-admin edits) •
>> For each 'official OWASP quote' there should be a period of
>> consultation where all interrest parties have the opportunity to
>> 'on the record' comment (namely OWASP Committee members and
>> leaders) • The first pass at the 'quote' should be made by the
>> board or a committee that we delegate the responsibility (maybe the
>> Industry one (when it becomes alive again)) • After the
>> consultation period, the board has final decision on the final
>> wording of the text • There are cases where the 'OWASP official
>> quote' will probably be 'OWASP has no comment on this topic' What
>> do you think? We should use this Veracode request to try this out
>> (which again should be presented to our community as an
>> 'experiment')
>>
>> Dinis Cruz
>>
>>
>>
>> On 24 June 2010 03:35, Jeff Williams<jeff.williams at owasp.org>
>> wrote: Here’s the background.  Veracode is going to start
>> supporting the OWASP T10 output format.  They are making a big deal
>> about how OWASP has grown to achieve widespread industry
>> acceptance, blah blah blah…  They are also pushing a clear message
>> that gaining assurance involves a combination of both automated and
>> manual testing.
>>
>> On the call, I asked them whether they would be willing to be very
>> clear about exactly which of the OWASP T10 recommendations their
>> product/service verifies.  This was my minimum bar for
>> participating.  At the high end, I asked if they would go through
>> the ASVS and indicate which of those they can verify.
>>
>> Essentially, all they’re doing is what everyone does: say that
>> their service solves the OWASP T10.   I think we should ONLY
>> support these statements if the vendor is willing to FULLY disclose
>> exactly what their coverage is and how it is achieved.  That goes
>> right to the core of the issue we’ve been discussing.  I think we
>> can support these commercial vendors as long as they do their part
>> in making security *visible*.
>>
>> So they’ve asked me for a quote.  Assuming they disclose, I’m
>> thinking something like…
>>
>> “The OWASP Foundation is pleased that Veracode will support the Top
>> 10. Managing application security requires an understanding of what
>> has been checked and what has not. Veracode’s message of
>> transparency and combining both manual and automated verification
>> techniques stand in stark contrast to those product vendors that
>> wrongly and dangerously assert complete Top 10 coverage and
>> compliance.”
>>
>> VOTE: Do you think OWASP should issue quotes like this when vendors
>> do something that 1) involves OWASP and 2) is basically in line
>> with our principles.  Or should we just stay clear.
>>
>> --Jeff
>>
>> Jeff Williams, Chair The OWASP Foundation work: 410-707-1487 main:
>> 301-604-4882
>>
>>
>> _______________________________________________ Owasp-board mailing
>> list Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________ Owasp-board mailing
>> list Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> _______________________________________________ Owasp-board mailing
> list Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

More information about the Owasp-board mailing list