[Owasp-board] Additional Brand Abuse

Jim Manico jim.manico at owasp.org
Fri Dec 5 18:18:09 UTC 2014


What I suggest is that corporate/product-centric OWASP brand usage needs 
to be approved of beforehand by the board, staff or brand committee (one 
official structure, not all three). That would give us a chance to have 
a "nice conversation" with folks before they use the brand as opposed to 
having to have to police the brand.

Regardless of our resources, I feel the OWASP brand is abused to a great 
degree and it dilutes what we are trying to accomplish. It's also a 
violation of our non-commercial, vendor-neutral rules of play.

- Jim

On 12/5/14 10:10 AM, Josh Sokol wrote:
> Jim,
> I totally understand where you are coming from.  However, the minute 
> the PCI DSS 1.0 asserted that companies needed to "Develop all web 
> applications based on secure coding guidelines such as the Open Web 
> Application Security Project guidelines", those materials became more 
> than just an informational document.  They are now part of the PCI DSS 
> standard which is supported by the for-profit corporations AMEX, 
> Discover, JCB, Mastercard, and VISA.  And because of the mandatory 
> compliance requirements behind PCI DSS, companies are willing to pay 
> for solutions to meet those requirements. Acunetix is just one of many 
> companies making claims on their ability to fulfill PCI DSS 
> requirement 6.5, regardless of whether it is even possible for anyone 
> to do so (I agree with you here).  So, if you truly have a problem 
> with vendors using OWASP as a way to increase profits, then the root 
> of this "problem" is the fact that it is included on the PCI DSS to 
> begin with.  That said, my personal take on it is that having it as a 
> requirement on the PCI DSS has probably been better visbility for 
> OWASP than just about anything else out there. So, even if it were 
> possible to have it removed (something I don't think is possible given 
> the open source license on it), I'm not sure we would want to.  So, in 
> the end, I think that OWASP is responsible for putting out good, free, 
> documents, that the public can consume, and as long as abuse isn't 
> blatant, we should first look at intent before rousing the troops 
> against them.  In this case, the vendor is simply saying that they 
> scan for the issues in the standard.  We are not equipped to run 
> around testing every vendor to see if their claims about that are true.
> ~josh
> On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Josh,
>     There is a history (ISSA, ISC2, Apache, etc) where non profit
>     security or developer organizations do not to allow companies to
>     use their non-profit brand for product marketing.
>     I feel that *strongly* protecting the OWASP brand from being used
>     in commercial marketing is both a part of our non-profit mission
>     (vendor neutral, non commercial) as well as being one of the main
>     roles of our fiduciary duty as board members.
>     Again, this is not just my opinion. There is a great deal of
>     precedent in this area from similar organizations.
>     - Jim
>     PS: As a side note, The OWASP Top Ten is not addressable by a
>     product, I can explain that in detail if you wish. (Just look at A5).
>     On 11/18/14 5:53 AM, Josh Sokol wrote:
>>     My personal opinion is that this is fine. The OWASP Top 10 is a
>>     published standard and Acunetix is claiming that they are capable
>>     of scanning for the issues identified in the OWASP Top 10
>>     standard.  I don't think that we should be responsible for
>>     policing whether or not they actually do what they say they do. 
>>     With that line being pretty blurry to begin with, I doubt
>>     Acunetix is the only company advertising in this manner.  And as
>>     long as they're not claiming to be "OWASP Certified", or the
>>     like, I think this is not worth pursuing.
>>     ~josh
>>     On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>         Folks,
>>         When we do a google search for "OWASP" I see that Acunetix is
>>         advertising that they are scanning for the OWASP Top Ten. The
>>         ad links to
>>         http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>>         I think this ad violates the following brand usage
>>         guidelines:
>>         https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>>         5) The OWASP Brand must not be used in a manner that suggests
>>         that The OWASP Foundation supports, advocates, or recommends
>>         any particular product or technology.
>>         7) The OWASP Brand must not be used in a manner that suggests
>>         that a product or technology can enable compliance with any
>>         OWASP Materials other than an OWASP Published Standard.
>>         and
>>         8) The OWASP Brand must not be used in any materials that
>>         could mislead readers by narrowly interpreting a broad
>>         application security category. For example, a vendor product
>>         that can find or protect against forced browsing must not
>>         claim that they address all of the access control category.
>>         I would like to file this with our compliance officer, but I
>>         think he is over-burdened right now. Do you think this is a
>>         clear violation and if so, should we approach them in a
>>         gentle way with suggestions to correct this?
>>         Aloha,
>>         Jim
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141205/3f6d625f/attachment.html>

More information about the Owasp-board mailing list