[Owasp-board] Additional Brand Abuse

Tobias tobias.gondrom at owasp.org
Wed Dec 17 08:46:01 UTC 2014


I agree regarding the "take action".

My question: which action and who takes it?

Community volunteers, ops team?

Best, Tobias

On 08/12/14 00:48, Tom Brennan wrote:
> Its been discussed at Board Meeting before... action needs to be taken.
> Thanks for your concern Bev.
> On Sun, Dec 7, 2014 at 10:29 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>> +1 - I agree that brand strategy, policies, and relationship models would be
>> useful for OWASP, and if they included OWASP Trustmarks, that would be
>> interesting, too. Nice to know that OWASP has staff resources available.
>> Thank you and best wishes, Bev
>> On Sun, Dec 7, 2014 at 8:39 AM, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>>> We can solve the branding issue by creating approved logos to be used
>>> by project leaders, project participants, members.  Include the status
>>> and year in the logo.
>>> Using approved logos can be leveraged like like a community Trustmark.
>>> We have a graphics person on staff --- use them.
>>> On Sun, Dec 7, 2014 at 12:23 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>>>> Thank you Tobias, All good points and well taken. I agree. Best wishes,
>>>> Bev
>>>> On Sat, Dec 6, 2014 at 11:45 PM, Tobias <tobias.gondrom at owasp.org>
>>>> wrote:
>>>>> Dear Bev,
>>>>> thanks for the clarification. I misunderstood your email initially as
>>>>> that
>>>>> you were referring to a company using our logo on their website, which
>>>>> would
>>>>> indeed need approval by OWASP.
>>>>> I can sense that we have some careful balancing when it comes to
>>>>> protection of our brand.
>>>>> On the one hand we want to help the people and industry at large
>>>>> improving
>>>>> security and in that process also to refer to us and our many projects,
>>>>> on
>>>>> the other hand we want to avoid that a text is misunderstood in a way
>>>>> that
>>>>> we would endorse a specific product, proprietary technology or
>>>>> business.
>>>>> A fine line to walk and possibly we will face a couple of cases were we
>>>>> are not totally sure about it.
>>>>> Thinking about at this, I am not sure it's the right path to add "brand
>>>>> usage" onto the plate of the compliance officer. The main need for our
>>>>> independent compliance officer is to avoid conflict of interest when it
>>>>> comes to investigating internal problems among staff, leaders or board
>>>>> members. For this an independent compliance officer is important.
>>>>> However,
>>>>> he is a community volunteer and his time is limited. And the protection
>>>>> of
>>>>> our brand and guiding other companies on how to refer to OWASP
>>>>> correctly
>>>>> does not have that risk of conflict of interest. Am thinking whether
>>>>> based
>>>>> on general brand usage guidelines (which we already have, but maybe
>>>>> need to
>>>>> be more detailed guidance) set by the community and the board, maybe we
>>>>> could delegate this to one of our staff instead or a community team to
>>>>> communicate carefully and in a positive manner with our partners in the
>>>>> industry. By this we could keep the work load of the compliance within
>>>>> reasonable levels, so that he will have enough time when it comes to
>>>>> cases
>>>>> that require his independent investigation.
>>>>> E.g. to enhance the guidelines, we could even add a few examples about
>>>>> how
>>>>> good usage or our OWASP brand looks like. I appreciate that we may have
>>>>> a
>>>>> large variety of views among our community about what level of
>>>>> mentioning
>>>>> OWASP by others is ok or we even wish for. And I hope we could in the
>>>>> process of a discussion achieve to find a wider consensus on this with
>>>>> which
>>>>> everybody is feeling ok....
>>>>> Just a thought.
>>>>> Tobias
>>>>> On 06/12/14 22:48, Bev Corwin wrote:
>>>>> Dear Tobias,
>>>>> Sorry for any confusion. I probably should have made it clear that I
>>>>> was
>>>>> speaking in general and not referring to any particular case. There
>>>>> were a
>>>>> number of discussions on this topic, several examples, some regarding
>>>>> use of
>>>>> brand, others not. In this particular case, the name "OWASP" is part of
>>>>> the
>>>>> brand, whether or not it uses the logo. The trade name should be
>>>>> treated
>>>>> similarly as the logo, especially if used in marketing . Best wishes.
>>>>> Bev
>>>>> Sincerely,
>>>>> Bev
>>>>> On Sat, Dec 6, 2014 at 5:24 AM, Tobias <tobias.gondrom at owasp.org>
>>>>> wrote:
>>>>>> Bev,
>>>>>> it seems I am not seeing the page you are seeing, because I didn't see
>>>>>> the OWASP logo on that page, that you are referring to.
>>>>>> Could you please send a link to the page that is holding the OWASP
>>>>>> logo?
>>>>>> Thanks, Tobias
>>>>>> On 06/12/14 01:40, Bev Corwin wrote:
>>>>>> Howdy all! My 2 cents:
>>>>>> Ask them to remove the OWASP logo brand, etc., that OWASP does not
>>>>>> "endorse", has brand use policies, etc.
>>>>>> Ask them to link to the OWASP pages that apply to their discussion.
>>>>>> Ask them to move it from the "marketing" area of the website to their
>>>>>> blog.
>>>>>> Best wishes,
>>>>>> Bev
>>>>>> On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>> Josh,
>>>>>>> What I suggest is that corporate/product-centric OWASP brand usage
>>>>>>> needs
>>>>>>> to be approved of beforehand by the board, staff or brand committee
>>>>>>> (one
>>>>>>> official structure, not all three). That would give us a chance to
>>>>>>> have a
>>>>>>> "nice conversation" with folks before they use the brand as opposed
>>>>>>> to
>>>>>>> having to have to police the brand.
>>>>>>> Regardless of our resources, I feel the OWASP brand is abused to a
>>>>>>> great
>>>>>>> degree and it dilutes what we are trying to accomplish. It's also a
>>>>>>> violation of our non-commercial, vendor-neutral rules of play.
>>>>>>> - Jim
>>>>>>> On 12/5/14 10:10 AM, Josh Sokol wrote:
>>>>>>> Jim,
>>>>>>> I totally understand where you are coming from.  However, the minute
>>>>>>> the
>>>>>>> PCI DSS 1.0 asserted that companies needed to "Develop all web
>>>>>>> applications
>>>>>>> based on secure coding guidelines such as the Open Web Application
>>>>>>> Security
>>>>>>> Project guidelines", those materials became more than just an
>>>>>>> informational
>>>>>>> document.  They are now part of the PCI DSS standard which is
>>>>>>> supported by
>>>>>>> the for-profit corporations AMEX, Discover, JCB, Mastercard, and
>>>>>>> VISA.  And
>>>>>>> because of the mandatory compliance requirements behind PCI DSS,
>>>>>>> companies
>>>>>>> are willing to pay for solutions to meet those requirements.
>>>>>>> Acunetix is
>>>>>>> just one of many companies making claims on their ability to fulfill
>>>>>>> PCI DSS
>>>>>>> requirement 6.5, regardless of whether it is even possible for anyone
>>>>>>> to do
>>>>>>> so (I agree with you here).  So, if you truly have a problem with
>>>>>>> vendors
>>>>>>> using OWASP as a way to increase profits, then the root of this
>>>>>>> "problem" is
>>>>>>> the fact that it is included on the PCI DSS to begin with.  That
>>>>>>> said, my
>>>>>>> personal take on it is that having it as a requirement on the PCI DSS
>>>>>>> has
>>>>>>> probably been better visbility for OWASP than just about anything
>>>>>>> else out
>>>>>>> there.  So, even if it were possible to have it removed (something I
>>>>>>> don't
>>>>>>> think is possible given the open source license on it), I'm not sure
>>>>>>> we
>>>>>>> would want to.  So, in the end, I think that OWASP is responsible for
>>>>>>> putting out good, free, documents, that the public can consume, and
>>>>>>> as long
>>>>>>> as abuse isn't blatant, we should first look at intent before rousing
>>>>>>> the
>>>>>>> troops against them.  In this case, the vendor is simply saying that
>>>>>>> they
>>>>>>> scan for the issues in the standard.  We are not equipped to run
>>>>>>> around
>>>>>>> testing every vendor to see if their claims about that are true.
>>>>>>> ~josh
>>>>>>> On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org>
>>>>>>> wrote:
>>>>>>>> Josh,
>>>>>>>> There is a history (ISSA, ISC2, Apache, etc) where non profit
>>>>>>>> security
>>>>>>>> or developer organizations do not to allow companies to use their
>>>>>>>> non-profit
>>>>>>>> brand for product marketing.
>>>>>>>> I feel that *strongly* protecting the OWASP brand from being used in
>>>>>>>> commercial marketing is both a part of our non-profit mission
>>>>>>>> (vendor
>>>>>>>> neutral, non commercial) as well as being one of the main roles of
>>>>>>>> our
>>>>>>>> fiduciary duty as board members.
>>>>>>>> Again, this is not just my opinion. There is a great deal of
>>>>>>>> precedent
>>>>>>>> in this area from similar organizations.
>>>>>>>> - Jim
>>>>>>>> PS: As a side note, The OWASP Top Ten is not addressable by a
>>>>>>>> product,
>>>>>>>> I can explain that in detail if you wish. (Just look at A5).
>>>>>>>> On 11/18/14 5:53 AM, Josh Sokol wrote:
>>>>>>>> My personal opinion is that this is fine.  The OWASP Top 10 is a
>>>>>>>> published standard and Acunetix is claiming that they are capable of
>>>>>>>> scanning for the issues identified in the OWASP Top 10 standard.  I
>>>>>>>> don't
>>>>>>>> think that we should be responsible for policing whether or not they
>>>>>>>> actually do what they say they do.  With that line being pretty
>>>>>>>> blurry to
>>>>>>>> begin with, I doubt Acunetix is the only company advertising in this
>>>>>>>> manner.
>>>>>>>> And as long as they're not claiming to be "OWASP Certified", or the
>>>>>>>> like, I
>>>>>>>> think this is not worth pursuing.
>>>>>>>> ~josh
>>>>>>>> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org>
>>>>>>>> wrote:
>>>>>>>>> Folks,
>>>>>>>>> When we do a google search for "OWASP" I see that Acunetix is
>>>>>>>>> advertising that they are scanning for the OWASP Top Ten. The ad
>>>>>>>>> links to
>>>>>>>>> http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>>>>>>>>> I think this ad violates the following brand usage guidelines:
>>>>>>>>> https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>>>>>>>>> 5) The OWASP Brand must not be used in a manner that suggests that
>>>>>>>>> The
>>>>>>>>> OWASP Foundation supports, advocates, or recommends any particular
>>>>>>>>> product
>>>>>>>>> or technology.
>>>>>>>>> 7) The OWASP Brand must not be used in a manner that suggests that
>>>>>>>>> a
>>>>>>>>> product or technology can enable compliance with any OWASP
>>>>>>>>> Materials other
>>>>>>>>> than an OWASP Published Standard.
>>>>>>>>> and
>>>>>>>>> 8) The OWASP Brand must not be used in any materials that could
>>>>>>>>> mislead readers by narrowly interpreting a broad application
>>>>>>>>> security
>>>>>>>>> category. For example, a vendor product that can find or protect
>>>>>>>>> against
>>>>>>>>> forced browsing must not claim that they address all of the access
>>>>>>>>> control
>>>>>>>>> category.
>>>>>>>>> I would like to file this with our compliance officer, but I think
>>>>>>>>> he
>>>>>>>>> is over-burdened right now. Do you think this is a clear violation
>>>>>>>>> and if
>>>>>>>>> so, should we approach them in a gentle way with suggestions to
>>>>>>>>> correct
>>>>>>>>> this?
>>>>>>>>> Aloha,
>>>>>>>>> Jim
>>>>>>>>> _______________________________________________
>>>>>>>>> Owasp-board mailing list
>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board

More information about the Owasp-board mailing list