[Owasp-board] Need guidance on providing OWASP quote to Veracode

dinis cruz dinis.cruz at owasp.org
Sun Jun 27 12:37:09 UTC 2010


Note that there are two different types of 'OWASP official quote' we
are talking about here:

1) a quote about how a particular company uses OWASP materials (in
this case Veracode use of the OWASP Top 10)
2) a quote about a new OWASP member (corporate, educational or
individual) and the positive implication of joining OWASP

Both cases are important for OWASP and we should do both. But while
the 2nd case should (in most cases) be a marketing/thank-you exercise
(with little need for guidelines) , the first case  is very
politically charged (and requires strong guidelines and governance)

I think the 1st type of 'official quote' is very important for OWASP,
since that will allow us to have clear positions (which can change
over time) about 'usage of OWASP projects' and specific topics in our
industry

Dinis Cruz

On 27 Jun 2010, at 06:31, Matt Tesauro <matt.tesauro at owasp.org> wrote:

> I second this approach.  Not only does it provide a concrete benefit
> to
> our corporate members, it provides a good incentive to "play nice".
> It
> is in alignment with my recommendation to give new/renewing corporate
> members a small blurb in the OWASP Newsletter.
>
> The one point of caution is to avoid the appearance of $5K donation =
> positive comment from OWASP.  It seems to me this can be handled by
> carefully documenting how this will work for all corporate members
> then
> sticking to that.
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
> On 6/25/10 5:24 PM, Brennan - OWASP wrote:
>> Quotes to service providers should be provided to welcome new OWASP
>> Supporters -- they seem to be missing from that list
>>
>> http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members
>>
>>
>>
>>
>>
>>
>>
>> On Jun 25, 2010, at 10:25 PM, Jeff Williams wrote:
>>
>>> They’re on kind of a short burn for this particular quote.  How
>>> about we give them the quote and then put that infrastructure in
>>> place afterwards.
>>>
>>> --Jeff
>>>
>>>
>>> From: dinis cruz [mailto:dinis.cruz at owasp.org] Sent: Friday, June
>>> 25, 2010 1:28 PM To: Jeff Williams Cc: OWASP Foundation Board List
>>> Subject: Re: [Owasp-board] Need guidance on providing OWASP quote
>>> to Veracode
>>>
>>> Hi Jeff,
>>>
>>> I definitely think that OWASP should have 'on the record' quotes
>>> about what 3rd parties are doing with OWASP's projects.
>>>
>>> In terms of workflow and rules, I would like to propose that:
>>>
>>> • All quotes are placed in specific locations of the OWASP Wiki
>>> (i.e. on a dedicated pages which could be global to OWASP or
>>> project specific) where it is obvious that those are OWASP Official
>>> quotes (this page should be protected from non-wiki-admin edits) •
>>> For each 'official OWASP quote' there should be a period of
>>> consultation where all interrest parties have the opportunity to
>>> 'on the record' comment (namely OWASP Committee members and
>>> leaders) • The first pass at the 'quote' should be made by the
>>> board or a committee that we delegate the responsibility (maybe the
>>> Industry one (when it becomes alive again)) • After the
>>> consultation period, the board has final decision on the final
>>> wording of the text • There are cases where the 'OWASP official
>>> quote' will probably be 'OWASP has no comment on this topic' What
>>> do you think? We should use this Veracode request to try this out
>>> (which again should be presented to our community as an
>>> 'experiment')
>>>
>>> Dinis Cruz
>>>
>>>
>>>
>>> On 24 June 2010 03:35, Jeff Williams<jeff.williams at owasp.org>
>>> wrote: Here’s the background.  Veracode is going to start
>>> supporting the OWASP T10 output format.  They are making a big deal
>>> about how OWASP has grown to achieve widespread industry
>>> acceptance, blah blah blah…  They are also pushing a clear message
>>> that gaining assurance involves a combination of both automated and
>>> manual testing.
>>>
>>> On the call, I asked them whether they would be willing to be very
>>> clear about exactly which of the OWASP T10 recommendations their
>>> product/service verifies.  This was my minimum bar for
>>> participating.  At the high end, I asked if they would go through
>>> the ASVS and indicate which of those they can verify.
>>>
>>> Essentially, all they’re doing is what everyone does: say that
>>> their service solves the OWASP T10.   I think we should ONLY
>>> support these statements if the vendor is willing to FULLY disclose
>>> exactly what their coverage is and how it is achieved.  That goes
>>> right to the core of the issue we’ve been discussing.  I think we
>>> can support these commercial vendors as long as they do their part
>>> in making security *visible*.
>>>
>>> So they’ve asked me for a quote.  Assuming they disclose, I’m
>>> thinking something like…
>>>
>>> “The OWASP Foundation is pleased that Veracode will support the
>>>  Top
>>> 10. Managing application security requires an understanding of what
>>> has been checked and what has not. Veracode’s message of
>>> transparency and combining both manual and automated verification
>>> techniques stand in stark contrast to those product vendors that
>>> wrongly and dangerously assert complete Top 10 coverage and
>>> compliance.”
>>>
>>> VOTE: Do you think OWASP should issue quotes like this when vendors
>>> do something that 1) involves OWASP and 2) is basically in line
>>> with our principles.  Or should we just stay clear.
>>>
>>> --Jeff
>>>
>>> Jeff Williams, Chair The OWASP Foundation work: 410-707-1487 main:
>>> 301-604-4882
>>>
>>>
>>> _______________________________________________ Owasp-board mailing
>>> list Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>> _______________________________________________ Owasp-board mailing
>>> list Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>> _______________________________________________ Owasp-board mailing
>> list Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board



More information about the Owasp-board mailing list