[Owasp-board] Need guidance on providing OWASP quote to Veracode

dinis cruz dinis.cruz at owasp.org
Mon Jun 28 17:24:12 UTC 2010


I think we should do these specific quotes 'on demand' (i.e. when explicitly
request) and only when they make sense (i.e. when there is something to say)

I quite like the concept that in some cases OWASP's position is going to be
'OWASP has no comment or position on this issue'

Dinis Cruz

On 28 June 2010 18:13, Brennan - OWASP <tomb at owasp.org> wrote:

> I would support that at this point stage of OWASP Foundation.
>
> Take a look at the most current list:
>
>
> http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members
>
> What can you say about EVERYONE?
>
> Since we do not endorse anyone, we can say these firms have demonstrated an
> alliance to the goals and mission of OWASP.  Maybe we send them a signed
> letter thanking them for the support
>
>
>
> On Jun 28, 2010, at 1:01 PM, Jeff Williams wrote:
>
> > I’ll follow up with them today about this and ask if they’ve made any
> progress on their claimed transparency.  As I mentioned at the outset, if
> they’re not transparent about what they cover and what they do, then I don’t
> think the quote is justified.
> >
> > Tom, were you suggesting that we shouldn’t do *any* quote about companies
> that are non-members?
> >
> > --Jeff
> >
> >
> > From: dinis cruz [mailto:dinis.cruz at owasp.org]
> > Sent: Monday, June 28, 2010 9:53 AM
> > To: Brennan - OWASP
> > Cc: Jeff Williams; OWASP Foundation Board List; Cornell Dan
> > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
> Veracode
> >
> > Sorry last email was sent to soon, the last comment I was making was (new
> bit in bold):
> >
> > ... And yes, your list of firms around OWASP is just a small subset of
> the companies that would want to play this game (note how Jeff's quote
> (which eventually will become OWASP's quote) is sending a 'parallel' message
> that 'some' product companies are dangerously asserting Top 10 coverage and
> compliance
> >
> > Dinis Cruz
> >
> >
> > On 28 June 2010 14:50, dinis cruz <dinis.cruz at owasp.org> wrote:
> > We need to have both quotes
> >
> > one that is generic for each type of user or type of usage of OWASP
> materials
> > one that is specific to a particular scenario (like the Veracode one)
> > For reference here is the original quote that Jeff proposed that we gave
> Veracode:
> >
> > “The OWASP Foundation is pleased that Veracode will support the Top 10.
> Managing application security requires an understanding of what has been
> checked and what has not. Veracode’s message of transparency and combining
> both manual and automated verification techniques stand in stark contrast to
> those product vendors that wrongly and dangerously assert complete Top 10
> coverage and compliance.”
> >
> > I think this is a very important quote for OWASP to be providing and we
> need to do it.
> >
> > BUT (as I said in previous emails) we need to do this under a clear
> process and (in the beginning) under a 'this is an experiment' banner'
> >
> > And yes, your list of firms around OWASP is just a small subset of the
> companies that would want to play this game (note how Jeff's quote (which
> eventually will become OWASP's q
> >
> >
> > Dinis Cruz
> >
> > Blog: http://diniscruz.blogspot.com
> > Twitter: http://twitter.com/DinisCruz
> > Web: http://www.owasp.org/index.php/O2
> >
> >
> >
> > On 28 June 2010 14:44, Brennan - OWASP <tomb at owasp.org> wrote:
> > Sounds like you are suggesting a (3) generic or blanket quote to be used
> by corporate, university and industry  sponsors in unification of the Owasp
> mission
> >
> > Look at core firms look around the room
> >
> > Aspect
> > WhiteHat
> > Trustwave
> > Denim
> > Fortify
> > Veracode
> > Columbia
> > NYC poly
> > Salesforce
> > <insert>....
> >
> > Keep it simple.  As a value of membership you get to use one of these in
> releases as you are a recognized supporter.  If you want to hire or retain
> PR company they would tell you the same ( I just called a buddy in the PR
> industry for her thoughts )
> >
> > Tom Brennan
> > 973-506-9303
> >
> >
> > On Jun 28, 2010, at 9:14 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> >
> > I don't think that faireness is the issue here , but the process of how
> we do this (and we need to look at this from OWASP's point if view, not from
> veracode's)
> >
> > I don't see how we can deliver these 'official OWASP quotes' outside of
> our website!
> >
> > What would be the delivery mechanism? An email from a board member? An
> email from an OWASP employee? Is that email that will make it an official
> OWASP quote?
> >
> > Some of these opinions have the potential to generate some controversy
> (which in some cases is going to be a good thing), but we have to make sure
> we have a solid and clear process.
> >
> > Given the urgency of the request and the fact that it is the first one,
> we can explicitly shortcut some of the steps (like the public consultation
> period)
> >
> > BUT we have to:
> >
> > a) make it come from a special page on the OWASP website
> > b) present it as an experiment (where we are still trying to figure out
> the rules of engagement)
> >
> > Dinis Cruz
> >
> > On 26 Jun 2010, at 18:38, Jeff Williams <jeff.williams at owasp.org> wrote:
> >
> > It's not fair to preempt their press release.
> >
> > --Jeff
> >
> > Jeff Williams
> > Aspect Security
> > work: 410-707-1487
> > main: 301-604-4882
> >
> >
> >
> > On Jun 25, 2010, at 4:52 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> >
> > Have they seen your quote?
> >
> > Due to the time restraints, then lets publish the first ideas on how this
> could work in the Wiki at the same time that we give them the quote.
> >
> > In fact they should get the quote from the Wiki
> >
> > Dinis Cruz
> >
> > On 25 Jun 2010, at 21:25, Jeff Williams <jeff.williams at owasp.org> wrote:
> >
> > They’re on kind of a short burn for this particular quote.  How about we
> give them the quote and then put that infrastructure in place afterwards.
> >
> > --Jeff
> >
> >
> > From: dinis cruz [mailto:dinis.cruz at owasp.org]
> > Sent: Friday, June 25, 2010 1:28 PM
> > To: Jeff Williams
> > Cc: OWASP Foundation Board List
> > Subject: Re: [Owasp-board] Need guidance on providing OWASP quote to
> Veracode
> >
> > Hi Jeff,
> >
> > I definitely think that OWASP should have 'on the record' quotes about
> what 3rd parties are doing with OWASP's projects.
> >
> > In terms of workflow and rules, I would like to propose that:
> >
> >       • All quotes are placed in specific locations of the OWASP Wiki
> (i.e. on a dedicated pages which could be global to OWASP or project
> specific) where it is obvious that those are OWASP Official quotes (this
> page should be protected from non-wiki-admin edits)
> >       • For each 'official OWASP quote' there should be a period of
>  consultation where all interrest parties have the opportunity to 'on the
> record' comment (namely OWASP Committee members and leaders)
> >       • The first pass at the 'quote' should be made by the board or a
> committee that we delegate the responsibility (maybe the Industry one (when
> it becomes alive again))
> >       • After the consultation period, the board has final decision on
> the final wording of the text
> >       • There are cases where the 'OWASP official quote' will probably be
> 'OWASP has no comment on this topic'
> > What do you think? We should use this Veracode request to try this out
> (which again should be presented to our community as an 'experiment')
> >
> > Dinis Cruz
> >
> >
> > On 24 June 2010 03:35, Jeff Williams <jeff.williams at owasp.org> wrote:
> > Here’s the background.  Veracode is going to start supporting the OWASP
> T10 output format.  They are making a big deal about how OWASP has grown to
> achieve widespread industry acceptance, blah blah blah…  They are also
> pushing a clear message that gaining assurance involves a combination of
> both automated and manual testing.
> >
> > On the call, I asked them whether they would be willing to be very clear
> about exactly which of the OWASP T10 recommendations their product/service
> verifies.  This was my minimum bar for participating.  At the high end, I
> asked if they would go through the ASVS and indicate which of those they can
> verify.
> >
> > Essentially, all they’re doing is what everyone does: say that their
> service solves the OWASP T10.   I think we should ONLY support these
> statements if the vendor is willing to FULLY disclose exactly what their
> coverage is and how it is achieved.  That goes right to the core of the
> issue we’ve been discussing.  I think we can support these commercial
> vendors as long as they do their part in making security *visible*.
> >
> > So they’ve asked me for a quote.  Assuming they disclose, I’m thinking
> something like…
> >
> > “The OWASP Foundation is pleased that Veracode will support the Top 10.
> Managing application security requires an understanding of what has been
> checked and what has not. Veracode’s message of transparency and combining
> both manual and automated verification techniques stand in stark contrast to
> those product vendors that wrongly and dangerously assert complete Top 10
> coverage and compliance.”
> >
> > VOTE: Do you think OWASP should issue quotes like this when vendors do
> something that 1) involves OWASP and 2) is basically in line with our
> principles.  Or should we just stay clear.
> >
> > --Jeff
> >
> > Jeff Williams, Chair
> > The OWASP Foundation
> > work: 410-707-1487
> > main: 301-604-4882
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
> >
> >
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100628/4655da26/attachment-0002.html>


More information about the Owasp-board mailing list