[Owasp-board] Contrast Marketing / OWASP Benchmark Project
Andrew van der Stock
vanderaj at owasp.org
Tue Oct 20 22:31:20 UTC 2015
Agreed. As I noted in one of my earlier e-mails, we need to:
Ensure that all projects that aim to provide benchmarks or a certification:
1) are free of conflicts of interest, both perceived and in actuality in
2) are substantially contributed by more than one vendor or tool to
demonstrate independence and impartiality
3) vendors using these benchmarks and tools do not make claims that are
contrary to existing OWASP logo and brand usage guidelines
We should address 3) immediately as we don't need to make any changes to
any project governance nor any logo or brand usage guidelines. I feel that
this could be an e-mail from Paul on behalf of the Foundation.
On Wed, Oct 21, 2015 at 7:20 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:
> Additionally vendor is doing false claims based on The actual stage of
> development of The project
> Benchmark is not ready to do such claims
> On Tuesday, October 20, 2015, Michael Coates <michael.coates at owasp.org>
>> I think we definitely have an issue here.
>> 1)It is quite clear, at it's current state, the project has a conflict of
>> The concept of the project could be great. But a conflict is present in
>> it's current state. As a result, everything achieved by the project is
>> under a shadow. I also don't think there's any disagreement about conflict
>> of interest either (see chapter leader response
>> This isn't to say that anyone is purposively influencing results, but a
>> "conflict of interest' is about relationships and impartiality, not about
>> specific actions. As a result I feel the conflict of interest is here and
>> should be acted on.
>> Suggested action:
>> 1a - we should label the project as such (idea: a banner across the wiki
>> page with "outstanding issues: conflict of interest)' just like wikipedia
>> 1b - we should ask the project committee to consider updating the project
>> maturity process such that a project cannot advance out of the most initial
>> phase if a conflict of interest is present.
>> 2) Branding
>> The quotes you mention are not inline with our branding requirements. I
>> also don't believe the logo is to be used on vendor literature.
>> The OWASP Brand must not be used in a manner that suggests that The OWASP
>> Foundation supports, advocates, or recommends any particular product or
>> Suggested action:
>> 2a - Paul to reach out to Contrast to discuss how to work with OWASP
>> Thoughts from others?
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>> OWASP Global Board
>> On Tue, Oct 20, 2015 at 11:39 AM, Josh Sokol <josh.sokol at owasp.org>
>>> Did anyone see this?
>>> It is a vendor "Whitepaper" using the OWASP Benchmark Project along with
>>> the Foundation brand and logo. A couple of choice quotes from the
>>> "Any product that doesn’t score highly on the OWASP Benchmark puts
>>> organizations at serious risk of missing major vulnerabilities in their
>>> real-world applications and generating lots of false alarms."
>>> "Contrast Enterprise, which the OWASP Benchmark demonstrated is both
>>> fast and accurate, is a natural choice to augment or replace existing SAST
>>> and DAST solutions."
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board