[Owasp-board] Need guidance on providing OWASP quote to Veracode
dinis.cruz at owasp.org
Mon Jun 28 13:14:33 UTC 2010
I don't think that faireness is the issue here , but the process of how we
do this (and we need to look at this from OWASP's point if view, not from
I don't see how we can deliver these 'official OWASP quotes' outside of our
What would be the delivery mechanism? An email from a board member? An email
from an OWASP employee? Is that email that will make it an official OWASP
Some of these opinions have the potential to generate some controversy
(which in some cases is going to be a good thing), but we have to make sure
we have a solid and clear process.
Given the urgency of the request and the fact that it is the first one, we
can explicitly shortcut some of the steps (like the public consultation
BUT we have to:
a) make it come from a special page on the OWASP website
b) present it as an experiment (where we are still trying to figure out the
rules of engagement)
On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org> wrote:
It's not fair to preempt their press release.
On Jun 25, 2010, at 4:52 PM, dinis cruz < <dinis.cruz at owasp.org>
dinis.cruz at owasp.org> wrote:
Have they seen your quote?
Due to the time restraints, then lets publish the first ideas on how this
could work in the Wiki at the same time that we give them the quote.
In fact they should get the quote from the Wiki
On 25 Jun 2010, at 21:25, Jeff Williams <
<jeff.williams at owasp.org><jeff.williams at owasp.org>
jeff.williams at owasp.org> wrote:
They’re on kind of a short burn for this particular quote. How about we
give them the quote and then put that infrastructure in place afterwards.
*From:* dinis cruz [mailto: <dinis.cruz at owasp.org> <dinis.cruz at owasp.org>
dinis.cruz at owasp.org]
*Sent:* Friday, June 25, 2010 1:28 PM
*To:* Jeff Williams
*Cc:* OWASP Foundation Board List
*Subject:* Re: [Owasp-board] Need guidance on providing OWASP quote to
I definitely think that OWASP should have 'on the record' quotes about what
3rd parties are doing with OWASP's projects.
In terms of workflow and rules, I would like to propose that:
- All quotes are placed in specific locations of the OWASP Wiki (i.e. on
a dedicated pages which could be global to OWASP or project specific) where
it is obvious that those are OWASP Official quotes (this page should be
protected from non-wiki-admin edits)
- For each 'official OWASP quote' there should be a period of
consultation where all interrest parties have the opportunity to 'on the
record' comment (namely OWASP Committee members and leaders)
- The first pass at the 'quote' should be made by the board or a
committee that we delegate the responsibility (maybe the Industry one (when
it becomes alive again))
- After the consultation period, the board has final decision on the
final wording of the text
- There are cases where the 'OWASP official quote' will probably be
'OWASP has no comment on this topic'
What do you think? We should use this Veracode request to try this out
(which again should be presented to our community as an 'experiment')
On 24 June 2010 03:35, Jeff Williams <
<jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org>
jeff.williams at owasp.org> wrote:
Here’s the background. Veracode is going to start supporting the OWASP T10
output format. They are making a big deal about how OWASP has grown to
achieve widespread industry acceptance, blah blah blah… They are also
pushing a clear message that gaining assurance involves a combination of
both automated and manual testing.
On the call, I asked them whether they would be willing to be very clear
about exactly which of the OWASP T10 recommendations their product/service
verifies. This was my minimum bar for participating. At the high end, I
asked if they would go through the ASVS and indicate which of those they can
Essentially, all they’re doing is what everyone does: say that their service
solves the OWASP T10. I think we should ONLY support these statements if
the vendor is willing to FULLY disclose exactly what their coverage is and
how it is achieved. That goes right to the core of the issue we’ve been
discussing. I think we can support these commercial vendors as long as they
do their part in making security **visible**.
So they’ve asked me for a quote. Assuming they disclose, I’m thinking
“The OWASP Foundation is pleased that Veracode will support the Top 10.
Managing application security requires an understanding of what has been
checked and what has not. Veracode’s message of transparency and combining
both manual and automated verification techniques stand in stark contrast to
those product vendors that wrongly and dangerously assert complete Top 10
coverage and compliance.”
VOTE: Do you think OWASP should issue quotes like this when vendors do
something that 1) involves OWASP and 2) is basically in line with our
principles. Or should we just stay clear.
Jeff Williams, Chair
The OWASP Foundation
Owasp-board mailing list
<Owasp-board at lists.owasp.org>
<Owasp-board at lists.owasp.org><Owasp-board at lists.owasp.org>
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board