[Owasp-board] Need guidance on providing OWASP quote to Veracode

dinis cruz dinis.cruz at owasp.org
Mon Jun 28 13:53:22 UTC 2010


Sorry last email was sent to soon, the last comment I was making was (new
bit in bold):

... And yes, your list of firms around OWASP is just a small subset of the
companies that would want to play this game (note how Jeff's quote (which
eventually will become OWASP's q*uote) is sending a 'parallel' message that
'some' product companies are dangerously asserting Top 10 coverage and
compliance*

Dinis Cruz


On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:

> We need to have both quotes
>
> one that is generic for each type of user or type of usage of OWASP
> materials
> one that is specific to a particular scenario (like the Veracode one)
>
> For reference here is the original quote that Jeff proposed that we gave
> Veracode:
>
> *“The OWASP Foundation is pleased that Veracode will support the Top 10.
> Managing application security requires an understanding of what has been
> checked and what has not. Veracode’s message of transparency and combining
> both manual and automated verification techniques stand in stark contrast to
> those product vendors that wrongly and dangerously assert complete Top 10
> coverage and compliance.”*
>
> I think this is a very important quote for OWASP to be providing and we
> need to do it.
>
> BUT (as I said in previous emails) we need to do this under a clear process
> and (in the beginning) under a 'this is an experiment' banner'
>
> And yes, your list of firms around OWASP is just a small subset of the
> companies that would want to play this game (note how Jeff's quote (which
> eventually will become OWASP's q
>
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
>
> On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
>
>> Sounds like you are suggesting a (3) generic or blanket quote to be used
>> by corporate, university and industry  sponsors in unification of the Owasp
>> mission
>>
>> Look at core firms look around the room
>>
>> Aspect
>> WhiteHat
>> Trustwave
>> Denim
>> Fortify
>> Veracode
>> Columbia
>> NYC poly
>> Salesforce
>> <insert>....
>>
>> Keep it simple.  As a value of membership you get to use one of these in
>> releases as you are a recognized supporter.  If you want to hire or retain
>> PR company they would tell you the same ( I just called a buddy in the PR
>> industry for her thoughts )
>>
>> Tom Brennan
>> 973-506-9303
>>
>>
>> On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>> I don't think that faireness is the issue here , but the process of how we
>> do this (and we need to look at this from OWASP's point if view, not from
>> veracode's)
>>
>> I don't see how we can deliver these 'official OWASP quotes' outside of
>> our website!
>>
>> What would be the delivery mechanism? An email from a board member? An
>> email from an OWASP employee? Is that email that will make it an official
>> OWASP quote?
>>
>> Some of these opinions have the potential to generate some controversy
>> (which in some cases is going to be a good thing), but we have to make sure
>> we have a solid and clear process.
>>
>> Given the urgency of the request and the fact that it is the first one, we
>> can explicitly shortcut some of the steps (like the public consultation
>> period)
>>
>> BUT we have to:
>>
>> a) make it come from a special page on the OWASP website
>> b) present it as an experiment (where we are still trying to figure out
>> the rules of engagement)
>>
>> Dinis Cruz
>>
>> On 26 Jun 2010, at 18:38, Jeff Williams < <jeff.williams at owasp.org><jeff.williams at owasp.org>
>> jeff.williams at owasp.org> wrote:
>>
>> It's not fair to preempt their press release.
>>
>> --Jeff
>>
>> Jeff Williams
>> Aspect Security
>> work: 410-707-1487
>> main: 301-604-4882
>>
>>
>>
>> On Jun 25, 2010, at 4:52 PM, dinis cruz < <dinis.cruz at owasp.org><dinis.cruz at owasp.org><dinis.cruz at owasp.org>
>> dinis.cruz at owasp.org> wrote:
>>
>> Have they seen your quote?
>>
>> Due to the time restraints, then lets publish the first ideas on how this
>> could work in the Wiki at the same time that we give them the quote.
>>
>> In fact they should get the quote from the Wiki
>>
>> Dinis Cruz
>>
>> On 25 Jun 2010, at 21:25, Jeff Williams < <jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org>
>> jeff.williams at owasp.org> wrote:
>>
>>  They’re on kind of a short burn for this particular quote.  How about we
>> give them the quote and then put that infrastructure in place afterwards.
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>>
>> *From:* dinis cruz [mailto: <dinis.cruz at owasp.org> <dinis.cruz at owasp.org><dinis.cruz at owasp.org><dinis.cruz at owasp.org>
>> dinis.cruz at owasp.org]
>> *Sent:* Friday, June 25, 2010 1:28 PM
>> *To:* Jeff Williams
>> *Cc:* OWASP Foundation Board List
>> *Subject:* Re: [Owasp-board] Need guidance on providing OWASP quote to
>> Veracode
>>
>>
>>
>> Hi Jeff,
>>
>>
>>
>> I definitely think that OWASP should have 'on the record' quotes about
>> what 3rd parties are doing with OWASP's projects.
>>
>>
>>
>> In terms of workflow and rules, I would like to propose that:
>>
>>
>>
>>    - All quotes are placed in specific locations of the OWASP Wiki (i.e.
>>    on a dedicated pages which could be global to OWASP or project specific)
>>    where it is obvious that those are OWASP Official quotes (this page should
>>    be protected from non-wiki-admin edits)
>>    - For each 'official OWASP quote' there should be a period of
>>     consultation where all interrest parties have the opportunity to 'on the
>>    record' comment (namely OWASP Committee members and leaders)
>>    - The first pass at the 'quote' should be made by the board or a
>>    committee that we delegate the responsibility (maybe the Industry one (when
>>    it becomes alive again))
>>    - After the consultation period, the board has final decision on the
>>    final wording of the text
>>    - There are cases where the 'OWASP official quote' will probably be
>>    'OWASP has no comment on this topic'
>>
>>  What do you think? We should use this Veracode request to try this out
>> (which again should be presented to our community as an 'experiment')
>>
>>
>> Dinis Cruz
>>
>>
>>  On 24 June 2010 03:35, Jeff Williams < <jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org><jeff.williams at owasp.org>
>> jeff.williams at owasp.org> wrote:
>>
>> Here’s the background.  Veracode is going to start supporting the OWASP
>> T10 output format.  They are making a big deal about how OWASP has grown to
>> achieve widespread industry acceptance, blah blah blah…  They are also
>> pushing a clear message that gaining assurance involves a combination of
>> both automated and manual testing.
>>
>>
>>
>> On the call, I asked them whether they would be willing to be very clear
>> about exactly which of the OWASP T10 recommendations their product/service
>> verifies.  This was my minimum bar for participating.  At the high end, I
>> asked if they would go through the ASVS and indicate which of those they can
>> verify.
>>
>>
>>
>> Essentially, all they’re doing is what everyone does: say that their
>> service solves the OWASP T10.   I think we should ONLY support these
>> statements if the vendor is willing to FULLY disclose exactly what their
>> coverage is and how it is achieved.  That goes right to the core of the
>> issue we’ve been discussing.  I think we can support these commercial
>> vendors as long as they do their part in making security **visible**.
>>
>>
>>
>> So they’ve asked me for a quote.  Assuming they disclose, I’m thinking
>> something like…
>>
>>
>>
>> “The OWASP Foundation is pleased that Veracode will support the Top 10.
>> Managing application security requires an understanding of what has been
>> checked and what has not. Veracode’s message of transparency and combining
>> both manual and automated verification techniques stand in stark contrast to
>> those product vendors that wrongly and dangerously assert complete Top 10
>> coverage and compliance.”
>>
>>
>>
>> VOTE: Do you think OWASP should issue quotes like this when vendors do
>> something that 1) involves OWASP and 2) is basically in line with our
>> principles.  Or should we just stay clear.
>>
>>
>>
>> --Jeff
>>
>>
>>
>> Jeff Williams, Chair
>>
>> The OWASP Foundation
>>
>> work: 410-707-1487
>>
>> main: 301-604-4882
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>>  <Owasp-board at lists.owasp.org> <Owasp-board at lists.owasp.org><Owasp-board at lists.owasp.org><Owasp-board at lists.owasp.org><Owasp-board at lists.owasp.org>
>> Owasp-board at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-board><https://lists.owasp.org/mailman/listinfo/owasp-board><https://lists.owasp.org/mailman/listinfo/owasp-board><https://lists.owasp.org/mailman/listinfo/owasp-board><https://lists.owasp.org/mailman/listinfo/owasp-board>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>  _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100628/a3d8fd95/attachment-0002.html>


More information about the Owasp-board mailing list