[Owasp-board] Additional Brand Abuse

Josh Sokol josh.sokol at owasp.org
Fri Dec 5 18:10:34 UTC 2014


I totally understand where you are coming from.  However, the minute the
PCI DSS 1.0 asserted that companies needed to "Develop all web applications
based on secure coding guidelines such as the Open Web Application Security
Project guidelines", those materials became more than just an informational
document.  They are now part of the PCI DSS standard which is supported by
the for-profit corporations AMEX, Discover, JCB, Mastercard, and VISA.  And
because of the mandatory compliance requirements behind PCI DSS, companies
are willing to pay for solutions to meet those requirements.  Acunetix is
just one of many companies making claims on their ability to fulfill PCI
DSS requirement 6.5, regardless of whether it is even possible for anyone
to do so (I agree with you here).  So, if you truly have a problem with
vendors using OWASP as a way to increase profits, then the root of this
"problem" is the fact that it is included on the PCI DSS to begin with.
That said, my personal take on it is that having it as a requirement on the
PCI DSS has probably been better visbility for OWASP than just about
anything else out there.  So, even if it were possible to have it removed
(something I don't think is possible given the open source license on it),
I'm not sure we would want to.  So, in the end, I think that OWASP is
responsible for putting out good, free, documents, that the public can
consume, and as long as abuse isn't blatant, we should first look at intent
before rousing the troops against them.  In this case, the vendor is simply
saying that they scan for the issues in the standard.  We are not equipped
to run around testing every vendor to see if their claims about that are


On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  Josh,
> There is a history (ISSA, ISC2, Apache, etc) where non profit security or
> developer organizations do not to allow companies to use their non-profit
> brand for product marketing.
> I feel that *strongly* protecting the OWASP brand from being used in
> commercial marketing is both a part of our non-profit mission (vendor
> neutral, non commercial) as well as being one of the main roles of our
> fiduciary duty as board members.
> Again, this is not just my opinion. There is a great deal of precedent in
> this area from similar organizations.
> - Jim
> PS: As a side note, The OWASP Top Ten is not addressable by a product, I
> can explain that in detail if you wish. (Just look at A5).
> On 11/18/14 5:53 AM, Josh Sokol wrote:
>  My personal opinion is that this is fine.  The OWASP Top 10 is a
> published standard and Acunetix is claiming that they are capable of
> scanning for the issues identified in the OWASP Top 10 standard.  I don't
> think that we should be responsible for policing whether or not they
> actually do what they say they do.  With that line being pretty blurry to
> begin with, I doubt Acunetix is the only company advertising in this
> manner.  And as long as they're not claiming to be "OWASP Certified", or
> the like, I think this is not worth pursuing.
>  ~josh
> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>  Folks,
>> When we do a google search for "OWASP" I see that Acunetix is advertising
>> that they are scanning for the OWASP Top Ten. The ad links to
>> http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>> I think this ad violates the following brand usage guidelines:
>> https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>> 5) The OWASP Brand must not be used in a manner that suggests that The
>> OWASP Foundation supports, advocates, or recommends any particular product
>> or technology.
>> 7) The OWASP Brand must not be used in a manner that suggests that a
>> product or technology can enable compliance with any OWASP Materials other
>> than an OWASP Published Standard.
>> and
>> 8) The OWASP Brand must not be used in any materials that could mislead
>> readers by narrowly interpreting a broad application security category. For
>> example, a vendor product that can find or protect against forced browsing
>> must not claim that they address all of the access control category.
>> I would like to file this with our compliance officer, but I think he is
>> over-burdened right now. Do you think this is a clear violation and if so,
>> should we approach them in a gentle way with suggestions to correct this?
>> Aloha,
>> Jim
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141205/a58af00a/attachment-0001.html>

More information about the Owasp-board mailing list