[Owasp-board] Additional Brand Abuse

Jim Manico jim.manico at owasp.org
Fri Dec 5 17:19:03 UTC 2014


There is a history (ISSA, ISC2, Apache, etc) where non profit security 
or developer organizations do not to allow companies to use their 
non-profit brand for product marketing.

I feel that *strongly* protecting the OWASP brand from being used in 
commercial marketing is both a part of our non-profit mission (vendor 
neutral, non commercial) as well as being one of the main roles of our 
fiduciary duty as board members.

Again, this is not just my opinion. There is a great deal of precedent 
in this area from similar organizations.
- Jim

PS: As a side note, The OWASP Top Ten is not addressable by a product, I 
can explain that in detail if you wish. (Just look at A5).

On 11/18/14 5:53 AM, Josh Sokol wrote:
> My personal opinion is that this is fine.  The OWASP Top 10 is a 
> published standard and Acunetix is claiming that they are capable of 
> scanning for the issues identified in the OWASP Top 10 standard.  I 
> don't think that we should be responsible for policing whether or not 
> they actually do what they say they do.  With that line being pretty 
> blurry to begin with, I doubt Acunetix is the only company advertising 
> in this manner.  And as long as they're not claiming to be "OWASP 
> Certified", or the like, I think this is not worth pursuing.
> ~josh
> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Folks,
>     When we do a google search for "OWASP" I see that Acunetix is
>     advertising that they are scanning for the OWASP Top Ten. The ad
>     links to
>     http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>     I think this ad violates the following brand usage guidelines:
>     https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>     5) The OWASP Brand must not be used in a manner that suggests that
>     The OWASP Foundation supports, advocates, or recommends any
>     particular product or technology.
>     7) The OWASP Brand must not be used in a manner that suggests that
>     a product or technology can enable compliance with any OWASP
>     Materials other than an OWASP Published Standard.
>     and
>     8) The OWASP Brand must not be used in any materials that could
>     mislead readers by narrowly interpreting a broad application
>     security category. For example, a vendor product that can find or
>     protect against forced browsing must not claim that they address
>     all of the access control category.
>     I would like to file this with our compliance officer, but I think
>     he is over-burdened right now. Do you think this is a clear
>     violation and if so, should we approach them in a gentle way with
>     suggestions to correct this?
>     Aloha,
>     Jim
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141205/17e987ca/attachment.html>

More information about the Owasp-board mailing list