<div dir="ltr">Dear Tobias,<div><br></div><div>Sorry for any confusion. I probably should have made it clear that I was speaking in general and not referring to any particular case. There were a number of discussions on this topic, several examples, some regarding use of brand, others not. In this particular case, the name "OWASP" is part of the brand, whether or not it uses the logo. The trade name should be treated similarly as the logo, especially if used in marketing . Best wishes.</div><div><br></div><div>Bev</div><div><br></div><div>Sincerely,</div><div>Bev</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 6, 2014 at 5:24 AM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div>Bev, <br>
      it seems I am not seeing the page you are seeing, because I didn't
      see the OWASP logo on that page, that you are referring to. <br>
      Could you please send a link to the page that is holding the OWASP
      logo? <br>
      Thanks, Tobias<div><div class="h5"><br>
      <br>
      <br>
      On 06/12/14 01:40, Bev Corwin wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Howdy all! My 2 cents:
        <div><br>
        </div>
        <div>Ask them to remove the OWASP logo brand, etc., that OWASP
          does not "endorse", has brand use policies, etc.</div>
        <div><br>
        </div>
        <div>Ask them to link to the OWASP pages that apply to their
          discussion.</div>
        <div><br>
        </div>
        <div>Ask them to move it from the "marketing" area of the
          website to their blog.</div>
        <div><br>
        </div>
        <div>Best wishes,</div>
        <div>Bev</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Dec 5, 2014 at 1:18 PM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Josh,<br>
              <br>
              What I suggest is that corporate/product-centric OWASP
              brand usage needs to be approved of beforehand by the
              board, staff or brand committee (one official structure,
              not all three). That would give us a chance to have a
              "nice conversation" with folks before they use the brand
              as opposed to having to have to police the brand.<br>
              <br>
              Regardless of our resources, I feel the OWASP brand is
              abused to a great degree and it dilutes what we are trying
              to accomplish. It's also a violation of our
              non-commercial, vendor-neutral rules of play.<span><font color="#888888"><br>
                  <br>
                  - Jim</font></span>
              <div>
                <div><br>
                  <br>
                  <br>
                  <div>On 12/5/14 10:10 AM, Josh Sokol wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>Jim,<br>
                        <br>
                        I totally understand where you are coming from. 
                        However, the minute the PCI DSS 1.0 asserted
                        that companies needed to "Develop all web
                        applications based on secure coding guidelines
                        such as the Open Web Application Security
                        Project guidelines", those materials became more
                        than just an informational document.  They are
                        now part of the PCI DSS standard which is
                        supported by the for-profit corporations AMEX,
                        Discover, JCB, Mastercard, and VISA.  And
                        because of the mandatory compliance requirements
                        behind PCI DSS, companies are willing to pay for
                        solutions to meet those requirements.  Acunetix
                        is just one of many companies making claims on
                        their ability to fulfill PCI DSS requirement
                        6.5, regardless of whether it is even possible
                        for anyone to do so (I agree with you here). 
                        So, if you truly have a problem with vendors
                        using OWASP as a way to increase profits, then
                        the root of this "problem" is the fact that it
                        is included on the PCI DSS to begin with.  That
                        said, my personal take on it is that having it
                        as a requirement on the PCI DSS has probably
                        been better visbility for OWASP than just about
                        anything else out there.  So, even if it were
                        possible to have it removed (something I don't
                        think is possible given the open source license
                        on it), I'm not sure we would want to.  So, in
                        the end, I think that OWASP is responsible for
                        putting out good, free, documents, that the
                        public can consume, and as long as abuse isn't
                        blatant, we should first look at intent before
                        rousing the troops against them.  In this case,
                        the vendor is simply saying that they scan for
                        the issues in the standard.  We are not equipped
                        to run around testing every vendor to see if
                        their claims about that are true.  <br>
                        <br>
                      </div>
                      ~josh<br>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Fri, Dec 5, 2014 at
                        11:19 AM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"> Josh,<br>
                            <br>
                            There is a history (ISSA, ISC2, Apache, etc)
                            where non profit security or developer
                            organizations do not to allow companies to
                            use their non-profit brand for product
                            marketing.<br>
                            <br>
                            I feel that *strongly* protecting the OWASP
                            brand from being used in commercial
                            marketing is both a part of our non-profit
                            mission (vendor neutral, non commercial) as
                            well as being one of the main roles of our
                            fiduciary duty as board members.<br>
                            <br>
                            Again, this is not just my opinion. There is
                            a great deal of precedent in this area from
                            similar organizations.<span><font color="#888888"><br>
                                - Jim<br>
                              </font></span><br>
                            PS: As a side note, The OWASP Top Ten is not
                            addressable by a product, I can explain that
                            in detail if you wish. (Just look at A5).
                            <div>
                              <div><br>
                                <br>
                                <br>
                                <br>
                                <br>
                                <div>On 11/18/14 5:53 AM, Josh Sokol
                                  wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>My personal opinion is that
                                      this is fine.  The OWASP Top 10 is
                                      a published standard and Acunetix
                                      is claiming that they are capable
                                      of scanning for the issues
                                      identified in the OWASP Top 10
                                      standard.  I don't think that we
                                      should be responsible for policing
                                      whether or not they actually do
                                      what they say they do.  With that
                                      line being pretty blurry to begin
                                      with, I doubt Acunetix is the only
                                      company advertising in this
                                      manner.  And as long as they're
                                      not claiming to be "OWASP
                                      Certified", or the like, I think
                                      this is not worth pursuing.<br>
                                      <br>
                                    </div>
                                    ~josh<br>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Fri, Nov
                                      14, 2014 at 8:13 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div bgcolor="#FFFFFF" text="#000000"> Folks,<br>
                                          <br>
                                          When we do a google search for
                                          "OWASP" I see that Acunetix is
                                          advertising that they are
                                          scanning for the OWASP Top
                                          Ten. The ad links to <a href="http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/" target="_blank">http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/</a><br>
                                          <br>
                                          I think this ad violates the
                                          following brand usage
                                          guidelines: <a href="https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules" target="_blank">https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules</a><br>
                                          <br>
                                          5) The OWASP Brand must not be
                                          used in a manner that suggests
                                          that The OWASP Foundation
                                          supports, advocates, or
                                          recommends any particular
                                          product or technology. <br>
                                          <br>
                                          7) The OWASP Brand must not be
                                          used in a manner that suggests
                                          that a product or technology
                                          can enable compliance with any
                                          OWASP Materials other than an
                                          OWASP Published Standard. <br>
                                          <br>
                                          and<br>
                                          <br>
                                          8) The OWASP Brand must not be
                                          used in any materials that
                                          could mislead readers by
                                          narrowly interpreting a broad
                                          application security category.
                                          For example, a vendor product
                                          that can find or protect
                                          against forced browsing must
                                          not claim that they address
                                          all of the access control
                                          category. <br>
                                          <br>
                                          <br>
                                          I would like to file this with
                                          our compliance officer, but I
                                          think he is over-burdened
                                          right now. Do you think this
                                          is a clear violation and if
                                          so, should we approach them in
                                          a gentle way with suggestions
                                          to correct this?<br>
                                          <br>
                                          Aloha,<br>
                                          Jim<br>
                                          <br>
                                          <br>
                                          <br>
                                          <span style="color:rgb(0,102,33);font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:left;text-indent:0px;text-transform:none;white-space:nowrap;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"></span>
                                        </div>
                                        <br>
_______________________________________________<br>
                                        Owasp-board mailing list<br>
                                        <a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                        <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                        <br>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-board mailing list<br>
            <a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Owasp-board mailing list
<a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>