[Owasp-board] [Owasp-leaders] OWASP Benchmark project - potential conflict of interest

johanna curiel curiel johanna.curiel at owasp.org
Thu Nov 26 22:23:18 UTC 2015


I think this project should be demoted back to Incubators

On Thu, Nov 26, 2015 at 6:01 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Very nice for these Appsec folks in  making marketing out of volunteer
> efforts to spend time reviewing an immature tool and sell it as it is ready
> mature for selling and making money at an *OWASP conference*
>
> Other people make advertising yes, but they don't push a review to go a
> head and sell. Off course, if this project was 'an incubator' had less
> claims to make than 'LAB' right?
>
> I'm *very very and very disappointed to be used like this. *
>
> What about that ? No one cares resources are misused? BTW the project also
> got a speaker slot at the OWASP conference.
>
> 3 issues logged so far in their github repo. Wow..I'm appalled how much
> testing this is taking...
>
> How many people in this thread has actually used the tool?
>
> I think I'm the only one.
>
>
>
>
>
> On Thu, Nov 26, 2015 at 5:32 PM, Andre Gironda <andreg+owasp at gmail.com>
> wrote:
>
>>
>> On Thu, Nov 26, 2015 at 12:09 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>> > I would be happy to provide an update.
>> >
>> > Matt Konda and Dave Wichers, the Benchmark Project Leader, had a
>> > conversation a few weeks back. To summarize their conversation, Dave
>> > acknowledges the currently lack of diversity in his project and it is
>> his
>> > sincere desire to drive more people to it to help.
>>
>> From my perspective, this is a core project that has the potential for
>> the best outcomes. Every appsec program -- every infosec program -- leads
>> with tool(s) instead of people. Business owners and app owners want
>> business-as-usual portal(s) for the everyday uninitiated portal user. I
>> emphasize my parenthetical use of the plural (i.e., (s)'s) because many
>> times only one tool is chosen, or [at best?] chosen for a few quarters and
>> then migrated entirely to a new [often worse?] tool.
>>
>> What both Aspect and Contrast have contributed should be encouraged more.
>> These vendors are _contributing_ forward-looking solutions that get to the
>> root cause of obstacles in application security.
>>
>> So what do we give them? A reward? No -- we give them more obstacles? The
>> vendors who have a seat to the table
>>
>> > Josh Sokol and Jeff Williams, the CTO of Contrast, had a conversation a
>> few
>> > weeks back. To summarize their conversation, Jeff believes that the work
>> > that Dave is doing on the Benchmark is a game changer in that it gives
>> OWASP
>> > the power in dictating what these tools need to be finding. He wants the
>> > Benchmark to be successful and understands that it needs to be diverse
>> in
>> > order to be trusted.
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151126/728cb905/attachment.html>


More information about the Owasp-board mailing list