[Owasp-board] Additional Brand Abuse

Tobias tobias.gondrom at owasp.org
Sat Dec 6 10:24:52 UTC 2014


Bev,
it seems I am not seeing the page you are seeing, because I didn't see 
the OWASP logo on that page, that you are referring to.
Could you please send a link to the page that is holding the OWASP logo?
Thanks, Tobias


On 06/12/14 01:40, Bev Corwin wrote:
> Howdy all! My 2 cents:
>
> Ask them to remove the OWASP logo brand, etc., that OWASP does not 
> "endorse", has brand use policies, etc.
>
> Ask them to link to the OWASP pages that apply to their discussion.
>
> Ask them to move it from the "marketing" area of the website to their 
> blog.
>
> Best wishes,
> Bev
>
>
> On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Josh,
>
>     What I suggest is that corporate/product-centric OWASP brand usage
>     needs to be approved of beforehand by the board, staff or brand
>     committee (one official structure, not all three). That would give
>     us a chance to have a "nice conversation" with folks before they
>     use the brand as opposed to having to have to police the brand.
>
>     Regardless of our resources, I feel the OWASP brand is abused to a
>     great degree and it dilutes what we are trying to accomplish. It's
>     also a violation of our non-commercial, vendor-neutral rules of play.
>
>     - Jim
>
>
>
>     On 12/5/14 10:10 AM, Josh Sokol wrote:
>>     Jim,
>>
>>     I totally understand where you are coming from. However, the
>>     minute the PCI DSS 1.0 asserted that companies needed to "Develop
>>     all web applications based on secure coding guidelines such as
>>     the Open Web Application Security Project guidelines", those
>>     materials became more than just an informational document.  They
>>     are now part of the PCI DSS standard which is supported by the
>>     for-profit corporations AMEX, Discover, JCB, Mastercard, and
>>     VISA.  And because of the mandatory compliance requirements
>>     behind PCI DSS, companies are willing to pay for solutions to
>>     meet those requirements.  Acunetix is just one of many companies
>>     making claims on their ability to fulfill PCI DSS requirement
>>     6.5, regardless of whether it is even possible for anyone to do
>>     so (I agree with you here). So, if you truly have a problem with
>>     vendors using OWASP as a way to increase profits, then the root
>>     of this "problem" is the fact that it is included on the PCI DSS
>>     to begin with.  That said, my personal take on it is that having
>>     it as a requirement on the PCI DSS has probably been better
>>     visbility for OWASP than just about anything else out there.  So,
>>     even if it were possible to have it removed (something I don't
>>     think is possible given the open source license on it), I'm not
>>     sure we would want to.  So, in the end, I think that OWASP is
>>     responsible for putting out good, free, documents, that the
>>     public can consume, and as long as abuse isn't blatant, we should
>>     first look at intent before rousing the troops against them.  In
>>     this case, the vendor is simply saying that they scan for the
>>     issues in the standard.  We are not equipped to run around
>>     testing every vendor to see if their claims about that are true.
>>
>>     ~josh
>>
>>     On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Josh,
>>
>>         There is a history (ISSA, ISC2, Apache, etc) where non profit
>>         security or developer organizations do not to allow companies
>>         to use their non-profit brand for product marketing.
>>
>>         I feel that *strongly* protecting the OWASP brand from being
>>         used in commercial marketing is both a part of our non-profit
>>         mission (vendor neutral, non commercial) as well as being one
>>         of the main roles of our fiduciary duty as board members.
>>
>>         Again, this is not just my opinion. There is a great deal of
>>         precedent in this area from similar organizations.
>>         - Jim
>>
>>         PS: As a side note, The OWASP Top Ten is not addressable by a
>>         product, I can explain that in detail if you wish. (Just look
>>         at A5).
>>
>>
>>
>>
>>
>>         On 11/18/14 5:53 AM, Josh Sokol wrote:
>>>         My personal opinion is that this is fine.  The OWASP Top 10
>>>         is a published standard and Acunetix is claiming that they
>>>         are capable of scanning for the issues identified in the
>>>         OWASP Top 10 standard.  I don't think that we should be
>>>         responsible for policing whether or not they actually do
>>>         what they say they do.  With that line being pretty blurry
>>>         to begin with, I doubt Acunetix is the only company
>>>         advertising in this manner.  And as long as they're not
>>>         claiming to be "OWASP Certified", or the like, I think this
>>>         is not worth pursuing.
>>>
>>>         ~josh
>>>
>>>         On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             Folks,
>>>
>>>             When we do a google search for "OWASP" I see that
>>>             Acunetix is advertising that they are scanning for the
>>>             OWASP Top Ten. The ad links to
>>>             http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>>>
>>>             I think this ad violates the following brand usage
>>>             guidelines:
>>>             https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>>>
>>>             5) The OWASP Brand must not be used in a manner that
>>>             suggests that The OWASP Foundation supports, advocates,
>>>             or recommends any particular product or technology.
>>>
>>>             7) The OWASP Brand must not be used in a manner that
>>>             suggests that a product or technology can enable
>>>             compliance with any OWASP Materials other than an OWASP
>>>             Published Standard.
>>>
>>>             and
>>>
>>>             8) The OWASP Brand must not be used in any materials
>>>             that could mislead readers by narrowly interpreting a
>>>             broad application security category. For example, a
>>>             vendor product that can find or protect against forced
>>>             browsing must not claim that they address all of the
>>>             access control category.
>>>
>>>
>>>             I would like to file this with our compliance officer,
>>>             but I think he is over-burdened right now. Do you think
>>>             this is a clear violation and if so, should we approach
>>>             them in a gentle way with suggestions to correct this?
>>>
>>>             Aloha,
>>>             Jim
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             Owasp-board at lists.owasp.org
>>>             <mailto:Owasp-board at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141206/e51f6e9d/attachment-0001.html>


More information about the Owasp-board mailing list