[Owasp-board] Additional Brand Abuse

Tobias tobias.gondrom at owasp.org
Tue Nov 18 22:20:01 UTC 2014


I agree with Josh and Paul,

educate and be positive.
After all, we want people and organisations to refer to OWASP (and OWASP 
projects like the Top-10).
We are happy if others say OWASP is great. What we don't want, is if 
people get the impression that OWASP would endorse a product or vendor. 
(note: I say impression, as putting an OWASP logo on a company page 
could already create such an impression, even without saying anything....)

It might be worth to review our brand usage guidelines and make them 
better, e.g. give guidelines for various scenarios.

Maybe a good first task (among many) for Noreen starting as community 
manager.

Best, Tobias


On 18/11/14 06:05, Paul Ritchie wrote:
> Jim, Josh, all:
>
> I tend to agree with the "Lets be vigilant & educate the community, 
> rather than 'police' the community" approach.
>
> Noreen Whysel, our new Community Manager, has training, education & 
> Community outreach in her area of responsibility.  One training topic 
> could easily be "Cool OWASP Marketing tools, and How to Use the OWASP 
> Brand/Logo".
>
> Unless we see a truly blatant case of misuse, I'll be asking Noreen to 
> go down the education path first.
> Paul
>
>
>
>
> Best Regards, Paul Ritchie
> OWASP Interim Executive Director
> paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>
>
> On Tue, Nov 18, 2014 at 7:53 AM, Josh Sokol <josh.sokol at owasp.org 
> <mailto:josh.sokol at owasp.org>> wrote:
>
>     My personal opinion is that this is fine.  The OWASP Top 10 is a
>     published standard and Acunetix is claiming that they are capable
>     of scanning for the issues identified in the OWASP Top 10
>     standard.  I don't think that we should be responsible for
>     policing whether or not they actually do what they say they do. 
>     With that line being pretty blurry to begin with, I doubt Acunetix
>     is the only company advertising in this manner.  And as long as
>     they're not claiming to be "OWASP Certified", or the like, I think
>     this is not worth pursuing.
>
>     ~josh
>
>     On Fri, Nov 14, 2014 at 8:13 PM, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>
>         Folks,
>
>         When we do a google search for "OWASP" I see that Acunetix is
>         advertising that they are scanning for the OWASP Top Ten. The
>         ad links to
>         http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>
>         I think this ad violates the following brand usage guidelines:
>         https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>
>         5) The OWASP Brand must not be used in a manner that suggests
>         that The OWASP Foundation supports, advocates, or recommends
>         any particular product or technology.
>
>         7) The OWASP Brand must not be used in a manner that suggests
>         that a product or technology can enable compliance with any
>         OWASP Materials other than an OWASP Published Standard.
>
>         and
>
>         8) The OWASP Brand must not be used in any materials that
>         could mislead readers by narrowly interpreting a broad
>         application security category. For example, a vendor product
>         that can find or protect against forced browsing must not
>         claim that they address all of the access control category.
>
>
>         I would like to file this with our compliance officer, but I
>         think he is over-burdened right now. Do you think this is a
>         clear violation and if so, should we approach them in a gentle
>         way with suggestions to correct this?
>
>         Aloha,
>         Jim
>
>
>
>
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141118/01119381/attachment.html>


More information about the Owasp-board mailing list