[Owasp-board] Additional Brand Abuse

Tom Brennan tomb at proactiverisk.com
Wed Dec 17 20:50:19 UTC 2014


OWASP Graphics contractor HUGO creates graphics

Ops team MEMBERSHIP communicates them to corporate members to use them if
they as official OWASP corporate member logos approved for use

Community embraces the use of positive brand use.

Old logos are old and anyone using them out of touch.... With 201x
announcement.

There is the action steps.

There is also a strategic goal, to move to a global program regarding
brand.  So you can now hand it down to the operations ED to get'r'done and
it touches all staff roles. Should be easy to accomplish in 3 months if not
sooner.

extra points for Trustmark lookup to a valid corporate membership page that
verifies it's legit.




On Wednesday, December 17, 2014, Tobias <tobias.gondrom at owasp.org> wrote:

> Tom,
>
> I agree regarding the "take action".
>
> My question: which action and who takes it?
>
> Community volunteers, ops team?
>
> Best, Tobias
>
>
>
> On 08/12/14 00:48, Tom Brennan wrote:
>
>> Its been discussed at Board Meeting before... action needs to be taken.
>>
>> Thanks for your concern Bev.
>>
>>
>> On Sun, Dec 7, 2014 at 10:29 AM, Bev Corwin <bev.corwin at owasp.org> wrote:
>>
>>> +1 - I agree that brand strategy, policies, and relationship models
>>> would be
>>> useful for OWASP, and if they included OWASP Trustmarks, that would be
>>> interesting, too. Nice to know that OWASP has staff resources available.
>>> Thank you and best wishes, Bev
>>>
>>> On Sun, Dec 7, 2014 at 8:39 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> We can solve the branding issue by creating approved logos to be used
>>>> by project leaders, project participants, members.  Include the status
>>>> and year in the logo.
>>>>
>>>> Using approved logos can be leveraged like like a community Trustmark.
>>>>
>>>> We have a graphics person on staff --- use them.
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Dec 7, 2014 at 12:23 AM, Bev Corwin <bev.corwin at owasp.org>
>>>> wrote:
>>>>
>>>>> Thank you Tobias, All good points and well taken. I agree. Best wishes,
>>>>> Bev
>>>>>
>>>>> On Sat, Dec 6, 2014 at 11:45 PM, Tobias <tobias.gondrom at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Dear Bev,
>>>>>>
>>>>>> thanks for the clarification. I misunderstood your email initially as
>>>>>> that
>>>>>> you were referring to a company using our logo on their website, which
>>>>>> would
>>>>>> indeed need approval by OWASP.
>>>>>>
>>>>>> I can sense that we have some careful balancing when it comes to
>>>>>> protection of our brand.
>>>>>> On the one hand we want to help the people and industry at large
>>>>>> improving
>>>>>> security and in that process also to refer to us and our many
>>>>>> projects,
>>>>>> on
>>>>>> the other hand we want to avoid that a text is misunderstood in a way
>>>>>> that
>>>>>> we would endorse a specific product, proprietary technology or
>>>>>> business.
>>>>>> A fine line to walk and possibly we will face a couple of cases were
>>>>>> we
>>>>>> are not totally sure about it.
>>>>>>
>>>>>> Thinking about at this, I am not sure it's the right path to add
>>>>>> "brand
>>>>>> usage" onto the plate of the compliance officer. The main need for our
>>>>>> independent compliance officer is to avoid conflict of interest when
>>>>>> it
>>>>>> comes to investigating internal problems among staff, leaders or board
>>>>>> members. For this an independent compliance officer is important.
>>>>>> However,
>>>>>> he is a community volunteer and his time is limited. And the
>>>>>> protection
>>>>>> of
>>>>>> our brand and guiding other companies on how to refer to OWASP
>>>>>> correctly
>>>>>> does not have that risk of conflict of interest. Am thinking whether
>>>>>> based
>>>>>> on general brand usage guidelines (which we already have, but maybe
>>>>>> need to
>>>>>> be more detailed guidance) set by the community and the board, maybe
>>>>>> we
>>>>>> could delegate this to one of our staff instead or a community team to
>>>>>> communicate carefully and in a positive manner with our partners in
>>>>>> the
>>>>>> industry. By this we could keep the work load of the compliance within
>>>>>> reasonable levels, so that he will have enough time when it comes to
>>>>>> cases
>>>>>> that require his independent investigation.
>>>>>>
>>>>>> E.g. to enhance the guidelines, we could even add a few examples about
>>>>>> how
>>>>>> good usage or our OWASP brand looks like. I appreciate that we may
>>>>>> have
>>>>>> a
>>>>>> large variety of views among our community about what level of
>>>>>> mentioning
>>>>>> OWASP by others is ok or we even wish for. And I hope we could in the
>>>>>> process of a discussion achieve to find a wider consensus on this with
>>>>>> which
>>>>>> everybody is feeling ok....
>>>>>>
>>>>>> Just a thought.
>>>>>>
>>>>>> Tobias
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 06/12/14 22:48, Bev Corwin wrote:
>>>>>>
>>>>>> Dear Tobias,
>>>>>>
>>>>>> Sorry for any confusion. I probably should have made it clear that I
>>>>>> was
>>>>>> speaking in general and not referring to any particular case. There
>>>>>> were a
>>>>>> number of discussions on this topic, several examples, some regarding
>>>>>> use of
>>>>>> brand, others not. In this particular case, the name "OWASP" is part
>>>>>> of
>>>>>> the
>>>>>> brand, whether or not it uses the logo. The trade name should be
>>>>>> treated
>>>>>> similarly as the logo, especially if used in marketing . Best wishes.
>>>>>>
>>>>>> Bev
>>>>>>
>>>>>> Sincerely,
>>>>>> Bev
>>>>>>
>>>>>>
>>>>>> On Sat, Dec 6, 2014 at 5:24 AM, Tobias <tobias.gondrom at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Bev,
>>>>>>> it seems I am not seeing the page you are seeing, because I didn't
>>>>>>> see
>>>>>>> the OWASP logo on that page, that you are referring to.
>>>>>>> Could you please send a link to the page that is holding the OWASP
>>>>>>> logo?
>>>>>>> Thanks, Tobias
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 06/12/14 01:40, Bev Corwin wrote:
>>>>>>>
>>>>>>> Howdy all! My 2 cents:
>>>>>>>
>>>>>>> Ask them to remove the OWASP logo brand, etc., that OWASP does not
>>>>>>> "endorse", has brand use policies, etc.
>>>>>>>
>>>>>>> Ask them to link to the OWASP pages that apply to their discussion.
>>>>>>>
>>>>>>> Ask them to move it from the "marketing" area of the website to their
>>>>>>> blog.
>>>>>>>
>>>>>>> Best wishes,
>>>>>>> Bev
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Dec 5, 2014 at 1:18 PM, Jim Manico <jim.manico at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Josh,
>>>>>>>>
>>>>>>>> What I suggest is that corporate/product-centric OWASP brand usage
>>>>>>>> needs
>>>>>>>> to be approved of beforehand by the board, staff or brand committee
>>>>>>>> (one
>>>>>>>> official structure, not all three). That would give us a chance to
>>>>>>>> have a
>>>>>>>> "nice conversation" with folks before they use the brand as opposed
>>>>>>>> to
>>>>>>>> having to have to police the brand.
>>>>>>>>
>>>>>>>> Regardless of our resources, I feel the OWASP brand is abused to a
>>>>>>>> great
>>>>>>>> degree and it dilutes what we are trying to accomplish. It's also a
>>>>>>>> violation of our non-commercial, vendor-neutral rules of play.
>>>>>>>>
>>>>>>>> - Jim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/5/14 10:10 AM, Josh Sokol wrote:
>>>>>>>>
>>>>>>>> Jim,
>>>>>>>>
>>>>>>>> I totally understand where you are coming from.  However, the minute
>>>>>>>> the
>>>>>>>> PCI DSS 1.0 asserted that companies needed to "Develop all web
>>>>>>>> applications
>>>>>>>> based on secure coding guidelines such as the Open Web Application
>>>>>>>> Security
>>>>>>>> Project guidelines", those materials became more than just an
>>>>>>>> informational
>>>>>>>> document.  They are now part of the PCI DSS standard which is
>>>>>>>> supported by
>>>>>>>> the for-profit corporations AMEX, Discover, JCB, Mastercard, and
>>>>>>>> VISA.  And
>>>>>>>> because of the mandatory compliance requirements behind PCI DSS,
>>>>>>>> companies
>>>>>>>> are willing to pay for solutions to meet those requirements.
>>>>>>>> Acunetix is
>>>>>>>> just one of many companies making claims on their ability to fulfill
>>>>>>>> PCI DSS
>>>>>>>> requirement 6.5, regardless of whether it is even possible for
>>>>>>>> anyone
>>>>>>>> to do
>>>>>>>> so (I agree with you here).  So, if you truly have a problem with
>>>>>>>> vendors
>>>>>>>> using OWASP as a way to increase profits, then the root of this
>>>>>>>> "problem" is
>>>>>>>> the fact that it is included on the PCI DSS to begin with.  That
>>>>>>>> said, my
>>>>>>>> personal take on it is that having it as a requirement on the PCI
>>>>>>>> DSS
>>>>>>>> has
>>>>>>>> probably been better visbility for OWASP than just about anything
>>>>>>>> else out
>>>>>>>> there.  So, even if it were possible to have it removed (something I
>>>>>>>> don't
>>>>>>>> think is possible given the open source license on it), I'm not sure
>>>>>>>> we
>>>>>>>> would want to.  So, in the end, I think that OWASP is responsible
>>>>>>>> for
>>>>>>>> putting out good, free, documents, that the public can consume, and
>>>>>>>> as long
>>>>>>>> as abuse isn't blatant, we should first look at intent before
>>>>>>>> rousing
>>>>>>>> the
>>>>>>>> troops against them.  In this case, the vendor is simply saying that
>>>>>>>> they
>>>>>>>> scan for the issues in the standard.  We are not equipped to run
>>>>>>>> around
>>>>>>>> testing every vendor to see if their claims about that are true.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Fri, Dec 5, 2014 at 11:19 AM, Jim Manico <jim.manico at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Josh,
>>>>>>>>>
>>>>>>>>> There is a history (ISSA, ISC2, Apache, etc) where non profit
>>>>>>>>> security
>>>>>>>>> or developer organizations do not to allow companies to use their
>>>>>>>>> non-profit
>>>>>>>>> brand for product marketing.
>>>>>>>>>
>>>>>>>>> I feel that *strongly* protecting the OWASP brand from being used
>>>>>>>>> in
>>>>>>>>> commercial marketing is both a part of our non-profit mission
>>>>>>>>> (vendor
>>>>>>>>> neutral, non commercial) as well as being one of the main roles of
>>>>>>>>> our
>>>>>>>>> fiduciary duty as board members.
>>>>>>>>>
>>>>>>>>> Again, this is not just my opinion. There is a great deal of
>>>>>>>>> precedent
>>>>>>>>> in this area from similar organizations.
>>>>>>>>> - Jim
>>>>>>>>>
>>>>>>>>> PS: As a side note, The OWASP Top Ten is not addressable by a
>>>>>>>>> product,
>>>>>>>>> I can explain that in detail if you wish. (Just look at A5).
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 11/18/14 5:53 AM, Josh Sokol wrote:
>>>>>>>>>
>>>>>>>>> My personal opinion is that this is fine.  The OWASP Top 10 is a
>>>>>>>>> published standard and Acunetix is claiming that they are capable
>>>>>>>>> of
>>>>>>>>> scanning for the issues identified in the OWASP Top 10 standard.  I
>>>>>>>>> don't
>>>>>>>>> think that we should be responsible for policing whether or not
>>>>>>>>> they
>>>>>>>>> actually do what they say they do.  With that line being pretty
>>>>>>>>> blurry to
>>>>>>>>> begin with, I doubt Acunetix is the only company advertising in
>>>>>>>>> this
>>>>>>>>> manner.
>>>>>>>>> And as long as they're not claiming to be "OWASP Certified", or the
>>>>>>>>> like, I
>>>>>>>>> think this is not worth pursuing.
>>>>>>>>>
>>>>>>>>> ~josh
>>>>>>>>>
>>>>>>>>> On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Folks,
>>>>>>>>>>
>>>>>>>>>> When we do a google search for "OWASP" I see that Acunetix is
>>>>>>>>>> advertising that they are scanning for the OWASP Top Ten. The ad
>>>>>>>>>> links to
>>>>>>>>>>
>>>>>>>>>> http://www.acunetix.com/vulnerability-scanner/scan-
>>>>>>>>>> website-owasp-top-10-risks/
>>>>>>>>>>
>>>>>>>>>> I think this ad violates the following brand usage guidelines:
>>>>>>>>>>
>>>>>>>>>> https://www.owasp.org/index.php/Marketing/Resources#The_
>>>>>>>>>> Brand_Usage_Rules
>>>>>>>>>>
>>>>>>>>>> 5) The OWASP Brand must not be used in a manner that suggests that
>>>>>>>>>> The
>>>>>>>>>> OWASP Foundation supports, advocates, or recommends any particular
>>>>>>>>>> product
>>>>>>>>>> or technology.
>>>>>>>>>>
>>>>>>>>>> 7) The OWASP Brand must not be used in a manner that suggests that
>>>>>>>>>> a
>>>>>>>>>> product or technology can enable compliance with any OWASP
>>>>>>>>>> Materials other
>>>>>>>>>> than an OWASP Published Standard.
>>>>>>>>>>
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>>> 8) The OWASP Brand must not be used in any materials that could
>>>>>>>>>> mislead readers by narrowly interpreting a broad application
>>>>>>>>>> security
>>>>>>>>>> category. For example, a vendor product that can find or protect
>>>>>>>>>> against
>>>>>>>>>> forced browsing must not claim that they address all of the access
>>>>>>>>>> control
>>>>>>>>>> category.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I would like to file this with our compliance officer, but I think
>>>>>>>>>> he
>>>>>>>>>> is over-burdened right now. Do you think this is a clear violation
>>>>>>>>>> and if
>>>>>>>>>> so, should we approach them in a gentle way with suggestions to
>>>>>>>>>> correct
>>>>>>>>>> this?
>>>>>>>>>>
>>>>>>>>>> Aloha,
>>>>>>>>>> Jim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Owasp-board mailing list
>>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141217/56ff84a0/attachment-0001.html>


More information about the Owasp-board mailing list