[Owasp-board] [Owasp-leaders] OWASP Benchmark project - potential conflict of interest

psiinon psiinon at gmail.com
Fri Oct 2 08:31:36 UTC 2015

OK, based on the concerns raised so far I think the board should initiate a
review of the OWASP Benchmark project.
I'm not raising a formal complaint against it, I'm just requesting a review.
And I dont think it needs a 'standard' project review - Johanna has already
done a very good job of this.
Not sure what sort of review you'd call it, I'll leave the naming to others

I'm concerned that we have an OWASP project lead by a company who has a
clear commercial stake in the results.
Bringing more companies on board will help, but I'm still not sure that
alone will make it independent enough.
Commercial companies can afford to dedicate staff to improving Benchmark so
that their products look better.
Open source projects just cant do that, so we are at a distinct
Should we allow a commercially driven OWASP project who's aim could be seen
be to promote commercial software?
If so, what sort of checks and balances does it need?
Those are the sort of questions I'd like an independent review to look at.

I do think there are some immediate steps that could be taken:

   - I'd like to see the Benchmark project page clearly state thats its at
   a very early stage and that the results are _not_ yet suitable for use in
   commercial literature.
   - I'd also like the main companies developing Benchmark to be clearly
   stated on the main page. If and when other companies get involved then this
   would actually help the project's claim of vendor independence.
   - And I'd love to see a respected co-leader added to the project who is
   not associated with any commercial or open source security tools:)

And we should carry on discussing the project on this list - I think such
discussions are very healthy, and I'd love to see this project mature to a
state where it can be a trusted, independent and valued resource.



On Thu, Oct 1, 2015 at 7:59 PM, Tobias <tobias.gondrom at owasp.org> wrote:

> @Simon:
> yes, the leaders list is the place for your discussions for project and
> chapter leaders
> @Timo: I like your framing of "Don't ask what OWASP can do for me, ask
> what I can do for OWASP."
> That should and is indeed the spirit of OWASP:-)
> Best regards, Tobias
> On 30/09/15 09:42, Timo Goosen wrote:
> I don't know enough about the matter to comment on this case, but I feel
> that any situation where an OWASP project or any OWASP initiative for that
> matter, is using OWASP to promote its own business interests should be
> stopped.  We need to get rid of bad apples in OWASP.
> OWASP is becoming a brand if you would like to think of it that way and we
> are going to see many more cases of people trying to use OWASP to spread
> their business interests. At the end of the day everyone should be acting
> with an attitude of:"Don't ask what OWASP can do for me, ask what I can do
> for OWASP?"
> Regards.
> Timo
> On Wed, Sep 30, 2015 at 11:48 AM, psiinon <psiinon at gmail.com> wrote:
>> So, a load of controversy about OWASP Benchmark on twitter, but no
>> discussion on the leaders list :(
>> Is this now the wrong place to discuss OWASP projects??
>> Simon
>> On Thu, Sep 24, 2015 at 10:36 AM, psiinon <psiinon at gmail.com> wrote:
>>> Hi folks,
>>> I've got some concerns about the OWASP Benchmark project.
>>> I _like_ benchmarks, and I'm very pleased to see an active OWASP project
>>> focused on delivering one.
>>> I think the project has some technical limitations, but thats fine given
>>> the stage the project is at, ie _very_ early.
>>> I dont think that any firm conclusions should be drawn from it until its
>>> been significantly enhanced.
>>> My concerns are around the marketing that one of the companies
>>> sponsoring the Benchmark project has started using.
>>> Here we have a company that leads an OWASP project that just happens to
>>> show that their offering in this area appears to be _significantly_ better
>>> than any of the competition.
>>> Their recent press release stresses that its an OWASP project, make the
>>> most of the fact that the US DHS helped fund it but make no mention of
>>> their role in developing it.
>>> Regardless of the accuracy of the results, it seems like a huge conflict
>>> of interest :(
>>> It appears that I'm not the only one with concerns related to the
>>> project:
>>> https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
>>> What do other people think?
>>> Cheers,
>>> Simon
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151002/8869525c/attachment-0001.html>

More information about the Owasp-board mailing list