[Owasp-board] Additional Brand Abuse

Bev Corwin bev.corwin at owasp.org
Sun Dec 7 05:23:52 UTC 2014


Thank you Tobias, All good points and well taken. I agree. Best wishes, Bev

On Sat, Dec 6, 2014 at 11:45 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Dear Bev,
>
> thanks for the clarification. I misunderstood your email initially as that
> you were referring to a company using our logo on their website, which
> would indeed need approval by OWASP.
>
> I can sense that we have some careful balancing when it comes to
> protection of our brand.
> On the one hand we want to help the people and industry at large improving
> security and in that process also to refer to us and our many projects, on
> the other hand we want to avoid that a text is misunderstood in a way that
> we would endorse a specific product, proprietary technology or business.
> A fine line to walk and possibly we will face a couple of cases were we
> are not totally sure about it.
>
> Thinking about at this, I am not sure it's the right path to add "brand
> usage" onto the plate of the compliance officer. The main need for our
> independent compliance officer is to avoid conflict of interest when it
> comes to investigating internal problems among staff, leaders or board
> members. For this an independent compliance officer is important. However,
> he is a community volunteer and his time is limited. And the protection of
> our brand and guiding other companies on how to refer to OWASP correctly
> does not have that risk of conflict of interest. Am thinking whether based
> on general brand usage guidelines (which we already have, but maybe need to
> be more detailed guidance) set by the community and the board, maybe we
> could delegate this to one of our staff instead or a community team to
> communicate carefully and in a positive manner with our partners in the
> industry. By this we could keep the work load of the compliance within
> reasonable levels, so that he will have enough time when it comes to cases
> that require his independent investigation.
>
> E.g. to enhance the guidelines, we could even add a few examples about how
> good usage or our OWASP brand looks like. I appreciate that we may have a
> large variety of views among our community about what level of mentioning
> OWASP by others is ok or we even wish for. And I hope we could in the
> process of a discussion achieve to find a wider consensus on this with
> which everybody is feeling ok....
>
> Just a thought.
>
> Tobias
>
>
>
>
> On 06/12/14 22:48, Bev Corwin wrote:
>
> Dear Tobias,
>
>  Sorry for any confusion. I probably should have made it clear that I was
> speaking in general and not referring to any particular case. There were a
> number of discussions on this topic, several examples, some regarding use
> of brand, others not. In this particular case, the name "OWASP" is part of
> the brand, whether or not it uses the logo. The trade name should be
> treated similarly as the logo, especially if used in marketing . Best
> wishes.
>
>  Bev
>
>  Sincerely,
> Bev
>
>
> On Sat, Dec 6, 2014 at 5:24 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>
>>  Bev,
>> it seems I am not seeing the page you are seeing, because I didn't see
>> the OWASP logo on that page, that you are referring to.
>> Could you please send a link to the page that is holding the OWASP logo?
>> Thanks, Tobias
>>
>>
>>
>> On 06/12/14 01:40, Bev Corwin wrote:
>>
>> Howdy all! My 2 cents:
>>
>>  Ask them to remove the OWASP logo brand, etc., that OWASP does not
>> "endorse", has brand use policies, etc.
>>
>>  Ask them to link to the OWASP pages that apply to their discussion.
>>
>>  Ask them to move it from the "marketing" area of the website to their
>> blog.
>>
>>  Best wishes,
>> Bev
>>
>>
>> On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>  Josh,
>>>
>>> What I suggest is that corporate/product-centric OWASP brand usage needs
>>> to be approved of beforehand by the board, staff or brand committee (one
>>> official structure, not all three). That would give us a chance to have a
>>> "nice conversation" with folks before they use the brand as opposed to
>>> having to have to police the brand.
>>>
>>> Regardless of our resources, I feel the OWASP brand is abused to a great
>>> degree and it dilutes what we are trying to accomplish. It's also a
>>> violation of our non-commercial, vendor-neutral rules of play.
>>>
>>> - Jim
>>>
>>>
>>>
>>> On 12/5/14 10:10 AM, Josh Sokol wrote:
>>>
>>>  Jim,
>>>
>>> I totally understand where you are coming from.  However, the minute the
>>> PCI DSS 1.0 asserted that companies needed to "Develop all web applications
>>> based on secure coding guidelines such as the Open Web Application Security
>>> Project guidelines", those materials became more than just an informational
>>> document.  They are now part of the PCI DSS standard which is supported by
>>> the for-profit corporations AMEX, Discover, JCB, Mastercard, and VISA.  And
>>> because of the mandatory compliance requirements behind PCI DSS, companies
>>> are willing to pay for solutions to meet those requirements.  Acunetix is
>>> just one of many companies making claims on their ability to fulfill PCI
>>> DSS requirement 6.5, regardless of whether it is even possible for anyone
>>> to do so (I agree with you here).  So, if you truly have a problem with
>>> vendors using OWASP as a way to increase profits, then the root of this
>>> "problem" is the fact that it is included on the PCI DSS to begin with.
>>> That said, my personal take on it is that having it as a requirement on the
>>> PCI DSS has probably been better visbility for OWASP than just about
>>> anything else out there.  So, even if it were possible to have it removed
>>> (something I don't think is possible given the open source license on it),
>>> I'm not sure we would want to.  So, in the end, I think that OWASP is
>>> responsible for putting out good, free, documents, that the public can
>>> consume, and as long as abuse isn't blatant, we should first look at intent
>>> before rousing the troops against them.  In this case, the vendor is simply
>>> saying that they scan for the issues in the standard.  We are not equipped
>>> to run around testing every vendor to see if their claims about that are
>>> true.
>>>
>>>  ~josh
>>>
>>> On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>>  Josh,
>>>>
>>>> There is a history (ISSA, ISC2, Apache, etc) where non profit security
>>>> or developer organizations do not to allow companies to use their
>>>> non-profit brand for product marketing.
>>>>
>>>> I feel that *strongly* protecting the OWASP brand from being used in
>>>> commercial marketing is both a part of our non-profit mission (vendor
>>>> neutral, non commercial) as well as being one of the main roles of our
>>>> fiduciary duty as board members.
>>>>
>>>> Again, this is not just my opinion. There is a great deal of precedent
>>>> in this area from similar organizations.
>>>> - Jim
>>>>
>>>> PS: As a side note, The OWASP Top Ten is not addressable by a product,
>>>> I can explain that in detail if you wish. (Just look at A5).
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 11/18/14 5:53 AM, Josh Sokol wrote:
>>>>
>>>>  My personal opinion is that this is fine.  The OWASP Top 10 is a
>>>> published standard and Acunetix is claiming that they are capable of
>>>> scanning for the issues identified in the OWASP Top 10 standard.  I don't
>>>> think that we should be responsible for policing whether or not they
>>>> actually do what they say they do.  With that line being pretty blurry to
>>>> begin with, I doubt Acunetix is the only company advertising in this
>>>> manner.  And as long as they're not claiming to be "OWASP Certified", or
>>>> the like, I think this is not worth pursuing.
>>>>
>>>>  ~josh
>>>>
>>>> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>>  Folks,
>>>>>
>>>>> When we do a google search for "OWASP" I see that Acunetix is
>>>>> advertising that they are scanning for the OWASP Top Ten. The ad links to
>>>>> http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>>>>>
>>>>> I think this ad violates the following brand usage guidelines:
>>>>> https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>>>>>
>>>>> 5) The OWASP Brand must not be used in a manner that suggests that The
>>>>> OWASP Foundation supports, advocates, or recommends any particular product
>>>>> or technology.
>>>>>
>>>>> 7) The OWASP Brand must not be used in a manner that suggests that a
>>>>> product or technology can enable compliance with any OWASP Materials other
>>>>> than an OWASP Published Standard.
>>>>>
>>>>> and
>>>>>
>>>>> 8) The OWASP Brand must not be used in any materials that could
>>>>> mislead readers by narrowly interpreting a broad application security
>>>>> category. For example, a vendor product that can find or protect against
>>>>> forced browsing must not claim that they address all of the access control
>>>>> category.
>>>>>
>>>>>
>>>>> I would like to file this with our compliance officer, but I think he
>>>>> is over-burdened right now. Do you think this is a clear violation and if
>>>>> so, should we approach them in a gentle way with suggestions to correct
>>>>> this?
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141207/c233498c/attachment-0001.html>


More information about the Owasp-board mailing list