[Owasp-board] Additional Brand Abuse

Tom Brennan tomb at proactiverisk.com
Sun Dec 7 15:48:59 UTC 2014


Its been discussed at Board Meeting before... action needs to be taken.

Thanks for your concern Bev.


On Sun, Dec 7, 2014 at 10:29 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
> +1 - I agree that brand strategy, policies, and relationship models would be
> useful for OWASP, and if they included OWASP Trustmarks, that would be
> interesting, too. Nice to know that OWASP has staff resources available.
> Thank you and best wishes, Bev
>
> On Sun, Dec 7, 2014 at 8:39 AM, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>>
>> We can solve the branding issue by creating approved logos to be used
>> by project leaders, project participants, members.  Include the status
>> and year in the logo.
>>
>> Using approved logos can be leveraged like like a community Trustmark.
>>
>> We have a graphics person on staff --- use them.
>>
>>
>>
>>
>> On Sun, Dec 7, 2014 at 12:23 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>> > Thank you Tobias, All good points and well taken. I agree. Best wishes,
>> > Bev
>> >
>> > On Sat, Dec 6, 2014 at 11:45 PM, Tobias <tobias.gondrom at owasp.org>
>> > wrote:
>> >>
>> >> Dear Bev,
>> >>
>> >> thanks for the clarification. I misunderstood your email initially as
>> >> that
>> >> you were referring to a company using our logo on their website, which
>> >> would
>> >> indeed need approval by OWASP.
>> >>
>> >> I can sense that we have some careful balancing when it comes to
>> >> protection of our brand.
>> >> On the one hand we want to help the people and industry at large
>> >> improving
>> >> security and in that process also to refer to us and our many projects,
>> >> on
>> >> the other hand we want to avoid that a text is misunderstood in a way
>> >> that
>> >> we would endorse a specific product, proprietary technology or
>> >> business.
>> >> A fine line to walk and possibly we will face a couple of cases were we
>> >> are not totally sure about it.
>> >>
>> >> Thinking about at this, I am not sure it's the right path to add "brand
>> >> usage" onto the plate of the compliance officer. The main need for our
>> >> independent compliance officer is to avoid conflict of interest when it
>> >> comes to investigating internal problems among staff, leaders or board
>> >> members. For this an independent compliance officer is important.
>> >> However,
>> >> he is a community volunteer and his time is limited. And the protection
>> >> of
>> >> our brand and guiding other companies on how to refer to OWASP
>> >> correctly
>> >> does not have that risk of conflict of interest. Am thinking whether
>> >> based
>> >> on general brand usage guidelines (which we already have, but maybe
>> >> need to
>> >> be more detailed guidance) set by the community and the board, maybe we
>> >> could delegate this to one of our staff instead or a community team to
>> >> communicate carefully and in a positive manner with our partners in the
>> >> industry. By this we could keep the work load of the compliance within
>> >> reasonable levels, so that he will have enough time when it comes to
>> >> cases
>> >> that require his independent investigation.
>> >>
>> >> E.g. to enhance the guidelines, we could even add a few examples about
>> >> how
>> >> good usage or our OWASP brand looks like. I appreciate that we may have
>> >> a
>> >> large variety of views among our community about what level of
>> >> mentioning
>> >> OWASP by others is ok or we even wish for. And I hope we could in the
>> >> process of a discussion achieve to find a wider consensus on this with
>> >> which
>> >> everybody is feeling ok....
>> >>
>> >> Just a thought.
>> >>
>> >> Tobias
>> >>
>> >>
>> >>
>> >>
>> >> On 06/12/14 22:48, Bev Corwin wrote:
>> >>
>> >> Dear Tobias,
>> >>
>> >> Sorry for any confusion. I probably should have made it clear that I
>> >> was
>> >> speaking in general and not referring to any particular case. There
>> >> were a
>> >> number of discussions on this topic, several examples, some regarding
>> >> use of
>> >> brand, others not. In this particular case, the name "OWASP" is part of
>> >> the
>> >> brand, whether or not it uses the logo. The trade name should be
>> >> treated
>> >> similarly as the logo, especially if used in marketing . Best wishes.
>> >>
>> >> Bev
>> >>
>> >> Sincerely,
>> >> Bev
>> >>
>> >>
>> >> On Sat, Dec 6, 2014 at 5:24 AM, Tobias <tobias.gondrom at owasp.org>
>> >> wrote:
>> >>>
>> >>> Bev,
>> >>> it seems I am not seeing the page you are seeing, because I didn't see
>> >>> the OWASP logo on that page, that you are referring to.
>> >>> Could you please send a link to the page that is holding the OWASP
>> >>> logo?
>> >>> Thanks, Tobias
>> >>>
>> >>>
>> >>>
>> >>> On 06/12/14 01:40, Bev Corwin wrote:
>> >>>
>> >>> Howdy all! My 2 cents:
>> >>>
>> >>> Ask them to remove the OWASP logo brand, etc., that OWASP does not
>> >>> "endorse", has brand use policies, etc.
>> >>>
>> >>> Ask them to link to the OWASP pages that apply to their discussion.
>> >>>
>> >>> Ask them to move it from the "marketing" area of the website to their
>> >>> blog.
>> >>>
>> >>> Best wishes,
>> >>> Bev
>> >>>
>> >>>
>> >>> On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org>
>> >>> wrote:
>> >>>>
>> >>>> Josh,
>> >>>>
>> >>>> What I suggest is that corporate/product-centric OWASP brand usage
>> >>>> needs
>> >>>> to be approved of beforehand by the board, staff or brand committee
>> >>>> (one
>> >>>> official structure, not all three). That would give us a chance to
>> >>>> have a
>> >>>> "nice conversation" with folks before they use the brand as opposed
>> >>>> to
>> >>>> having to have to police the brand.
>> >>>>
>> >>>> Regardless of our resources, I feel the OWASP brand is abused to a
>> >>>> great
>> >>>> degree and it dilutes what we are trying to accomplish. It's also a
>> >>>> violation of our non-commercial, vendor-neutral rules of play.
>> >>>>
>> >>>> - Jim
>> >>>>
>> >>>>
>> >>>>
>> >>>> On 12/5/14 10:10 AM, Josh Sokol wrote:
>> >>>>
>> >>>> Jim,
>> >>>>
>> >>>> I totally understand where you are coming from.  However, the minute
>> >>>> the
>> >>>> PCI DSS 1.0 asserted that companies needed to "Develop all web
>> >>>> applications
>> >>>> based on secure coding guidelines such as the Open Web Application
>> >>>> Security
>> >>>> Project guidelines", those materials became more than just an
>> >>>> informational
>> >>>> document.  They are now part of the PCI DSS standard which is
>> >>>> supported by
>> >>>> the for-profit corporations AMEX, Discover, JCB, Mastercard, and
>> >>>> VISA.  And
>> >>>> because of the mandatory compliance requirements behind PCI DSS,
>> >>>> companies
>> >>>> are willing to pay for solutions to meet those requirements.
>> >>>> Acunetix is
>> >>>> just one of many companies making claims on their ability to fulfill
>> >>>> PCI DSS
>> >>>> requirement 6.5, regardless of whether it is even possible for anyone
>> >>>> to do
>> >>>> so (I agree with you here).  So, if you truly have a problem with
>> >>>> vendors
>> >>>> using OWASP as a way to increase profits, then the root of this
>> >>>> "problem" is
>> >>>> the fact that it is included on the PCI DSS to begin with.  That
>> >>>> said, my
>> >>>> personal take on it is that having it as a requirement on the PCI DSS
>> >>>> has
>> >>>> probably been better visbility for OWASP than just about anything
>> >>>> else out
>> >>>> there.  So, even if it were possible to have it removed (something I
>> >>>> don't
>> >>>> think is possible given the open source license on it), I'm not sure
>> >>>> we
>> >>>> would want to.  So, in the end, I think that OWASP is responsible for
>> >>>> putting out good, free, documents, that the public can consume, and
>> >>>> as long
>> >>>> as abuse isn't blatant, we should first look at intent before rousing
>> >>>> the
>> >>>> troops against them.  In this case, the vendor is simply saying that
>> >>>> they
>> >>>> scan for the issues in the standard.  We are not equipped to run
>> >>>> around
>> >>>> testing every vendor to see if their claims about that are true.
>> >>>>
>> >>>> ~josh
>> >>>>
>> >>>> On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org>
>> >>>> wrote:
>> >>>>>
>> >>>>> Josh,
>> >>>>>
>> >>>>> There is a history (ISSA, ISC2, Apache, etc) where non profit
>> >>>>> security
>> >>>>> or developer organizations do not to allow companies to use their
>> >>>>> non-profit
>> >>>>> brand for product marketing.
>> >>>>>
>> >>>>> I feel that *strongly* protecting the OWASP brand from being used in
>> >>>>> commercial marketing is both a part of our non-profit mission
>> >>>>> (vendor
>> >>>>> neutral, non commercial) as well as being one of the main roles of
>> >>>>> our
>> >>>>> fiduciary duty as board members.
>> >>>>>
>> >>>>> Again, this is not just my opinion. There is a great deal of
>> >>>>> precedent
>> >>>>> in this area from similar organizations.
>> >>>>> - Jim
>> >>>>>
>> >>>>> PS: As a side note, The OWASP Top Ten is not addressable by a
>> >>>>> product,
>> >>>>> I can explain that in detail if you wish. (Just look at A5).
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On 11/18/14 5:53 AM, Josh Sokol wrote:
>> >>>>>
>> >>>>> My personal opinion is that this is fine.  The OWASP Top 10 is a
>> >>>>> published standard and Acunetix is claiming that they are capable of
>> >>>>> scanning for the issues identified in the OWASP Top 10 standard.  I
>> >>>>> don't
>> >>>>> think that we should be responsible for policing whether or not they
>> >>>>> actually do what they say they do.  With that line being pretty
>> >>>>> blurry to
>> >>>>> begin with, I doubt Acunetix is the only company advertising in this
>> >>>>> manner.
>> >>>>> And as long as they're not claiming to be "OWASP Certified", or the
>> >>>>> like, I
>> >>>>> think this is not worth pursuing.
>> >>>>>
>> >>>>> ~josh
>> >>>>>
>> >>>>> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Folks,
>> >>>>>>
>> >>>>>> When we do a google search for "OWASP" I see that Acunetix is
>> >>>>>> advertising that they are scanning for the OWASP Top Ten. The ad
>> >>>>>> links to
>> >>>>>>
>> >>>>>> http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>> >>>>>>
>> >>>>>> I think this ad violates the following brand usage guidelines:
>> >>>>>>
>> >>>>>> https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>> >>>>>>
>> >>>>>> 5) The OWASP Brand must not be used in a manner that suggests that
>> >>>>>> The
>> >>>>>> OWASP Foundation supports, advocates, or recommends any particular
>> >>>>>> product
>> >>>>>> or technology.
>> >>>>>>
>> >>>>>> 7) The OWASP Brand must not be used in a manner that suggests that
>> >>>>>> a
>> >>>>>> product or technology can enable compliance with any OWASP
>> >>>>>> Materials other
>> >>>>>> than an OWASP Published Standard.
>> >>>>>>
>> >>>>>> and
>> >>>>>>
>> >>>>>> 8) The OWASP Brand must not be used in any materials that could
>> >>>>>> mislead readers by narrowly interpreting a broad application
>> >>>>>> security
>> >>>>>> category. For example, a vendor product that can find or protect
>> >>>>>> against
>> >>>>>> forced browsing must not claim that they address all of the access
>> >>>>>> control
>> >>>>>> category.
>> >>>>>>
>> >>>>>>
>> >>>>>> I would like to file this with our compliance officer, but I think
>> >>>>>> he
>> >>>>>> is over-burdened right now. Do you think this is a clear violation
>> >>>>>> and if
>> >>>>>> so, should we approach them in a gentle way with suggestions to
>> >>>>>> correct
>> >>>>>> this?
>> >>>>>>
>> >>>>>> Aloha,
>> >>>>>> Jim
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Owasp-board mailing list
>> >>>>>> Owasp-board at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Owasp-board mailing list
>> >>>> Owasp-board at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-board mailing list
>> >>> Owasp-board at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>
>


More information about the Owasp-board mailing list