[Owasp-board] [Owasp-leaders] OWASP Benchmark project - potential conflict of interest

psiinon psiinon at gmail.com
Tue Oct 6 08:19:18 UTC 2015


Hey Eoin,

I think project reviews should probably just concentrate on technical
aspects, but raise a flag if it looks like theres a potential for conflict
of interests or similar concerns. And thats exactly what Johanna did with
her report.
If such concerns are raised then an 'independence' (or 'ethical'?) review
should be initiated, and thats what I'm calling for now.
This is the first project I can think of in the last few years that has
caused this level of controversy, so I dont think a knee jerk like 'all
projects must be reviewed for independence' is appropriate.

So, board - can we have an 'independence' review of the Benchmark project?
Is it following the spirit of 'vendor neutrality'?
Is it bringing OWASP into disrepute?

Cheers,

Simon

On Tue, Oct 6, 2015 at 8:30 AM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hi Simon,
> Does a project review look at "independence" or just technical aspects?
>
> The issue here is two fold...
>
> 1 the project, out of the blocks was used for promotion of a commercial
> solution. There was also a rush to get it reviewed by appsec USA for that
> reason IMHO.
>
> 2 the project leads run a company which benefits and it appears that OWASP
> is being used as a marketing platform as per many comments on social media
> etc. - looks bad.
>
>
>
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 2 Oct 2015, at 9:31 a.m., psiinon <psiinon at gmail.com> wrote:
>
> OK, based on the concerns raised so far I think the board should initiate
> a review of the OWASP Benchmark project.
> I'm not raising a formal complaint against it, I'm just requesting a
> review.
> And I dont think it needs a 'standard' project review - Johanna has
> already done a very good job of this.
> Not sure what sort of review you'd call it, I'll leave the naming to
> others :)
>
> I'm concerned that we have an OWASP project lead by a company who has a
> clear commercial stake in the results.
> Bringing more companies on board will help, but I'm still not sure that
> alone will make it independent enough.
> Commercial companies can afford to dedicate staff to improving Benchmark
> so that their products look better.
> Open source projects just cant do that, so we are at a distinct
> disadvantage.
> Should we allow a commercially driven OWASP project who's aim could be
> seen be to promote commercial software?
> If so, what sort of checks and balances does it need?
> Those are the sort of questions I'd like an independent review to look at.
>
> I do think there are some immediate steps that could be taken:
>
>    - I'd like to see the Benchmark project page clearly state thats its
>    at a very early stage and that the results are _not_ yet suitable for use
>    in commercial literature.
>    - I'd also like the main companies developing Benchmark to be clearly
>    stated on the main page. If and when other companies get involved then this
>    would actually help the project's claim of vendor independence.
>    - And I'd love to see a respected co-leader added to the project who
>    is not associated with any commercial or open source security tools:)
>
> And we should carry on discussing the project on this list - I think such
> discussions are very healthy, and I'd love to see this project mature to a
> state where it can be a trusted, independent and valued resource.
>
> Cheers,
>
> Simon
>
> On Thu, Oct 1, 2015 at 7:59 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>
>> @Simon:
>> yes, the leaders list is the place for your discussions for project and
>> chapter leaders
>> @Timo: I like your framing of "Don't ask what OWASP can do for me, ask
>> what I can do for OWASP."
>> That should and is indeed the spirit of OWASP:-)
>> Best regards, Tobias
>>
>>
>>
>>
>> On 30/09/15 09:42, Timo Goosen wrote:
>>
>> I don't know enough about the matter to comment on this case, but I feel
>> that any situation where an OWASP project or any OWASP initiative for that
>> matter, is using OWASP to promote its own business interests should be
>> stopped.  We need to get rid of bad apples in OWASP.
>>
>> OWASP is becoming a brand if you would like to think of it that way and
>> we are going to see many more cases of people trying to use OWASP to spread
>> their business interests. At the end of the day everyone should be acting
>> with an attitude of:"Don't ask what OWASP can do for me, ask what I can do
>> for OWASP?"
>>
>>
>>
>> Regards.
>> Timo
>>
>> On Wed, Sep 30, 2015 at 11:48 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> So, a load of controversy about OWASP Benchmark on twitter, but no
>>> discussion on the leaders list :(
>>> Is this now the wrong place to discuss OWASP projects??
>>>
>>> Simon
>>>
>>>
>>> On Thu, Sep 24, 2015 at 10:36 AM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I've got some concerns about the OWASP Benchmark project.
>>>>
>>>> I _like_ benchmarks, and I'm very pleased to see an active OWASP
>>>> project focused on delivering one.
>>>> I think the project has some technical limitations, but thats fine
>>>> given the stage the project is at, ie _very_ early.
>>>> I dont think that any firm conclusions should be drawn from it until
>>>> its been significantly enhanced.
>>>>
>>>> My concerns are around the marketing that one of the companies
>>>> sponsoring the Benchmark project has started using.
>>>>
>>>> Here we have a company that leads an OWASP project that just happens to
>>>> show that their offering in this area appears to be _significantly_ better
>>>> than any of the competition.
>>>> Their recent press release stresses that its an OWASP project, make the
>>>> most of the fact that the US DHS helped fund it but make no mention of
>>>> their role in developing it.
>>>>
>>>> Regardless of the accuracy of the results, it seems like a huge
>>>> conflict of interest :(
>>>>
>>>> It appears that I'm not the only one with concerns related to the
>>>> project:
>>>>
>>>> https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
>>>>
>>>> What do other people think?
>>>>
>>>> Cheers,
>>>>
>>>> Simon
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151006/3c73cf20/attachment-0001.html>


More information about the Owasp-board mailing list