[Owasp-board] Additional Brand Abuse

Tobias tobias.gondrom at owasp.org
Sun Dec 7 04:45:05 UTC 2014

Dear Bev,

thanks for the clarification. I misunderstood your email initially as 
that you were referring to a company using our logo on their website, 
which would indeed need approval by OWASP.

I can sense that we have some careful balancing when it comes to 
protection of our brand.
On the one hand we want to help the people and industry at large 
improving security and in that process also to refer to us and our many 
projects, on the other hand we want to avoid that a text is 
misunderstood in a way that we would endorse a specific product, 
proprietary technology or business.
A fine line to walk and possibly we will face a couple of cases were we 
are not totally sure about it.

Thinking about at this, I am not sure it's the right path to add "brand 
usage" onto the plate of the compliance officer. The main need for our 
independent compliance officer is to avoid conflict of interest when it 
comes to investigating internal problems among staff, leaders or board 
members. For this an independent compliance officer is important. 
However, he is a community volunteer and his time is limited. And the 
protection of our brand and guiding other companies on how to refer to 
OWASP correctly does not have that risk of conflict of interest. Am 
thinking whether based on general brand usage guidelines (which we 
already have, but maybe need to be more detailed guidance) set by the 
community and the board, maybe we could delegate this to one of our 
staff instead or a community team to communicate carefully and in a 
positive manner with our partners in the industry. By this we could keep 
the work load of the compliance within reasonable levels, so that he 
will have enough time when it comes to cases that require his 
independent investigation.

E.g. to enhance the guidelines, we could even add a few examples about 
how good usage or our OWASP brand looks like. I appreciate that we may 
have a large variety of views among our community about what level of 
mentioning OWASP by others is ok or we even wish for. And I hope we 
could in the process of a discussion achieve to find a wider consensus 
on this with which everybody is feeling ok....

Just a thought.


On 06/12/14 22:48, Bev Corwin wrote:
> Dear Tobias,
> Sorry for any confusion. I probably should have made it clear that I 
> was speaking in general and not referring to any particular case. 
> There were a number of discussions on this topic, several examples, 
> some regarding use of brand, others not. In this particular case, the 
> name "OWASP" is part of the brand, whether or not it uses the logo. 
> The trade name should be treated similarly as the logo, especially if 
> used in marketing . Best wishes.
> Bev
> Sincerely,
> Bev
> On Sat, Dec 6, 2014 at 5:24 AM, Tobias <tobias.gondrom at owasp.org 
> <mailto:tobias.gondrom at owasp.org>> wrote:
>     Bev,
>     it seems I am not seeing the page you are seeing, because I didn't
>     see the OWASP logo on that page, that you are referring to.
>     Could you please send a link to the page that is holding the OWASP
>     logo?
>     Thanks, Tobias
>     On 06/12/14 01:40, Bev Corwin wrote:
>>     Howdy all! My 2 cents:
>>     Ask them to remove the OWASP logo brand, etc., that OWASP does
>>     not "endorse", has brand use policies, etc.
>>     Ask them to link to the OWASP pages that apply to their discussion.
>>     Ask them to move it from the "marketing" area of the website to
>>     their blog.
>>     Best wishes,
>>     Bev
>>     On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>         Josh,
>>         What I suggest is that corporate/product-centric OWASP brand
>>         usage needs to be approved of beforehand by the board, staff
>>         or brand committee (one official structure, not all three).
>>         That would give us a chance to have a "nice conversation"
>>         with folks before they use the brand as opposed to having to
>>         have to police the brand.
>>         Regardless of our resources, I feel the OWASP brand is abused
>>         to a great degree and it dilutes what we are trying to
>>         accomplish. It's also a violation of our non-commercial,
>>         vendor-neutral rules of play.
>>         - Jim
>>         On 12/5/14 10:10 AM, Josh Sokol wrote:
>>>         Jim,
>>>         I totally understand where you are coming from.  However,
>>>         the minute the PCI DSS 1.0 asserted that companies needed to
>>>         "Develop all web applications based on secure coding
>>>         guidelines such as the Open Web Application Security Project
>>>         guidelines", those materials became more than just an
>>>         informational document.  They are now part of the PCI DSS
>>>         standard which is supported by the for-profit corporations
>>>         AMEX, Discover, JCB, Mastercard, and VISA.  And because of
>>>         the mandatory compliance requirements behind PCI DSS,
>>>         companies are willing to pay for solutions to meet those
>>>         requirements.  Acunetix is just one of many companies making
>>>         claims on their ability to fulfill PCI DSS requirement 6.5,
>>>         regardless of whether it is even possible for anyone to do
>>>         so (I agree with you here).  So, if you truly have a problem
>>>         with vendors using OWASP as a way to increase profits, then
>>>         the root of this "problem" is the fact that it is included
>>>         on the PCI DSS to begin with.  That said, my personal take
>>>         on it is that having it as a requirement on the PCI DSS has
>>>         probably been better visbility for OWASP than just about
>>>         anything else out there.  So, even if it were possible to
>>>         have it removed (something I don't think is possible given
>>>         the open source license on it), I'm not sure we would want
>>>         to.  So, in the end, I think that OWASP is responsible for
>>>         putting out good, free, documents, that the public can
>>>         consume, and as long as abuse isn't blatant, we should first
>>>         look at intent before rousing the troops against them.  In
>>>         this case, the vendor is simply saying that they scan for
>>>         the issues in the standard.  We are not equipped to run
>>>         around testing every vendor to see if their claims about
>>>         that are true.
>>>         ~josh
>>>         On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>             Josh,
>>>             There is a history (ISSA, ISC2, Apache, etc) where non
>>>             profit security or developer organizations do not to
>>>             allow companies to use their non-profit brand for
>>>             product marketing.
>>>             I feel that *strongly* protecting the OWASP brand from
>>>             being used in commercial marketing is both a part of our
>>>             non-profit mission (vendor neutral, non commercial) as
>>>             well as being one of the main roles of our fiduciary
>>>             duty as board members.
>>>             Again, this is not just my opinion. There is a great
>>>             deal of precedent in this area from similar organizations.
>>>             - Jim
>>>             PS: As a side note, The OWASP Top Ten is not addressable
>>>             by a product, I can explain that in detail if you wish.
>>>             (Just look at A5).
>>>             On 11/18/14 5:53 AM, Josh Sokol wrote:
>>>>             My personal opinion is that this is fine.  The OWASP
>>>>             Top 10 is a published standard and Acunetix is claiming
>>>>             that they are capable of scanning for the issues
>>>>             identified in the OWASP Top 10 standard.  I don't think
>>>>             that we should be responsible for policing whether or
>>>>             not they actually do what they say they do.  With that
>>>>             line being pretty blurry to begin with, I doubt
>>>>             Acunetix is the only company advertising in this
>>>>             manner.  And as long as they're not claiming to be
>>>>             "OWASP Certified", or the like, I think this is not
>>>>             worth pursuing.
>>>>             ~josh
>>>>             On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico
>>>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>                 Folks,
>>>>                 When we do a google search for "OWASP" I see that
>>>>                 Acunetix is advertising that they are scanning for
>>>>                 the OWASP Top Ten. The ad links to
>>>>                 http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>>>>                 I think this ad violates the following brand usage
>>>>                 guidelines:
>>>>                 https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>>>>                 5) The OWASP Brand must not be used in a manner
>>>>                 that suggests that The OWASP Foundation supports,
>>>>                 advocates, or recommends any particular product or
>>>>                 technology.
>>>>                 7) The OWASP Brand must not be used in a manner
>>>>                 that suggests that a product or technology can
>>>>                 enable compliance with any OWASP Materials other
>>>>                 than an OWASP Published Standard.
>>>>                 and
>>>>                 8) The OWASP Brand must not be used in any
>>>>                 materials that could mislead readers by narrowly
>>>>                 interpreting a broad application security category.
>>>>                 For example, a vendor product that can find or
>>>>                 protect against forced browsing must not claim that
>>>>                 they address all of the access control category.
>>>>                 I would like to file this with our compliance
>>>>                 officer, but I think he is over-burdened right now.
>>>>                 Do you think this is a clear violation and if so,
>>>>                 should we approach them in a gentle way with
>>>>                 suggestions to correct this?
>>>>                 Aloha,
>>>>                 Jim
>>>>                 _______________________________________________
>>>>                 Owasp-board mailing list
>>>>                 Owasp-board at lists.owasp.org
>>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141207/b1d88a82/attachment-0001.html>

More information about the Owasp-board mailing list