<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">There have been several conversations
      on that matter and a dedicated call. Unfortunately for personal
      reasons I could not attend the last call as it was at 04:00am my
      local time, but all other board members did participate. <br>
      <br>
      Could please one of my fellow board members give an update. <br>
      <br>
      Best, Tobias<br>
      <br>
      <br>
      <br>
      On 26/11/15 18:04, Timo Goosen wrote:<br>
    </div>
    <blockquote
cite="mid:CAMOWqYCy9SxxckcYTJ3nwvjXm7vwm6hSmrVqvrQQ=2fZrkS0yA@mail.gmail.com"
      type="cite">
      <div dir="ltr">I would also like to know the answer to Simon's
        question. We need to get rid of bad apples in OWASP in my
        opinion, there are too many people just using the OWASP "name"
        or "brand" to improve their own financial situation or career.
        <div><br>
        </div>
        <div>Regards.</div>
        <div>Timo</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 26, 2015 at 1:13 PM,
          psiinon <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>
                <div>
                  <div>
                    <div>
                      <div>Paul, and the rest of the board,<br>
                        <br>
                      </div>
                      Its been over 2 months since I raised this issue.<br>
                    </div>
                    Whats happening?<br>
                  </div>
                  Has the board even discussed it?<br>
                  <br>
                </div>
                Cheers,<br>
                <br>
              </div>
              Simon<br>
              <div>
                <div><br>
                </div>
              </div>
            </div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Tue, Oct 20, 2015 at 10:00
                    PM, Paul Ritchie <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:paul.ritchie@owasp.org"
                        target="_blank">paul.ritchie@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">Eoin, Johanna, All:
                        <div><br>
                        </div>
                        <div>In an earlier email, Josh Sokol mentioned
                          that he will be speaking in the next day or 2
                          to their CTO, while at LASCON, as a
                          representative of the OWASP Board.  Following
                          that feedback, the Board has action to take
                          the next steps.</div>
                        <div><br>
                        </div>
                        <div>Just an FYI that all comments are
                          recognized and action is being taken.</div>
                        <div><br>
                        </div>
                        <div>Paul</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                      </div>
                      <div class="gmail_extra"><br clear="all">
                        <div>
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>Best Regards, Paul Ritchie</div>
                                  <div>OWASP Executive Director</div>
                                  <div><a moz-do-not-send="true"
                                      href="mailto:paul.ritchie@owasp.org"
                                      target="_blank">paul.ritchie@owasp.org</a></div>
                                  <div><br>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div>
                            <br>
                            <div class="gmail_quote">On Tue, Oct 20,
                              2015 at 1:54 PM, johanna curiel curiel <span
                                dir="ltr"><<a moz-do-not-send="true"
                                  href="mailto:johanna.curiel@owasp.org"
                                  target="_blank">johanna.curiel@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">Time for
                                owasp to do a public statement and put a
                                clear story regarding this abusive
                                behavior of Owasp brand
                                <div>
                                  <div><br>
                                    <br>
                                    On Tuesday, October 20, 2015, Eoin
                                    Keary <<a moz-do-not-send="true"
                                      href="mailto:eoin.keary@owasp.org"
                                      target="_blank">eoin.keary@owasp.org</a>>
                                    wrote:<br>
                                    <blockquote class="gmail_quote"
                                      style="margin:0 0 0
                                      .8ex;border-left:1px #ccc
                                      solid;padding-left:1ex">
                                      <div dir="auto">
                                        <div>Folks,</div>
                                        <div><br>
                                        </div>
                                        <div>The project should be
                                          immediately shelved it's
                                          simply bad form.</div>
                                        <div><br>
                                        </div>
                                        <div>This is damaging to OWASP,
                                          the industry and exactly what
                                          OWASP is not about.</div>
                                        <div><br>
                                        </div>
                                        <div>There is a clear conflict
                                          of interest and distinct lack
                                          of science behind the claims
                                          made by Contrast.</div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                          <br>
                                          Eoin Keary
                                          <div>OWASP Volunteer</div>
                                          <div>@eoinkeary</div>
                                          <div><span
                                              style="font-size:13pt"><br>
                                            </span></div>
                                          <div><br>
                                          </div>
                                        </div>
                                        <div><br>
                                          On 7 Oct 2015, at 3:53 p.m.,
                                          johanna curiel curiel <<a
                                            moz-do-not-send="true">johanna.curiel@owasp.org</a>>
                                          wrote:<br>
                                          <br>
                                        </div>
                                        <blockquote type="cite">
                                          <div>At the moment we did the
                                            project review, we observed
                                            that the project did not
                                            have enough testing to be
                                            considered in any form as
                                            'ready'  for benchmarking,
                                            neither that it had yet the
                                            community adoption, however
                                            technically speaking as it
                                            has been classified by the
                                            leaders, the project is at
                                            the beta stage.
                                            <div><br>
                                            </div>
                                            <div>Indeed , Dave had the
                                              push to have the project
                                              reviewed but it was never
                                              clear that later on the
                                              project was going to be
                                              advertisied this way. That
                                              all happend after the
                                              presentation at Appsec.</div>
                                            <div><br>
                                            </div>
                                            <div>I had my concerns
                                              regarding how sensitive
                                              is the subject of the
                                              project ,but I think we
                                              should allow project
                                              leaders to develop their
                                              communication strategy
                                              even if this has conflict
                                              of interest. It all
                                              depends how they behave
                                              and how they manage this.</div>
                                            <div><br>
                                            </div>
                                            <div><br>
                                              On Tuesday, October 6,
                                              2015, Michael Coates <<a
                                                moz-do-not-send="true">michael.coates@owasp.org</a>>
                                              wrote:<br>
                                              <blockquote
                                                class="gmail_quote"
                                                style="margin:0 0 0
                                                .8ex;border-left:1px
                                                #ccc
                                                solid;padding-left:1ex">
                                                <div dir="auto">
                                                  <div>It's not really
                                                    that formal to add
                                                    to the agenda, just
                                                    a wiki that we add
                                                    in the text. </div>
                                                  <div><br>
                                                  </div>
                                                  <div>I think you can
                                                    safely assume it
                                                    will get the
                                                    appropriate
                                                    discussion. </div>
                                                  <div><br>
                                                    On Oct 6, 2015, at
                                                    7:16 AM, psiinon
                                                    <<a
                                                      moz-do-not-send="true">psiinon@gmail.com</a>>
                                                    wrote:<br>
                                                    <br>
                                                  </div>
                                                  <blockquote
                                                    type="cite">
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>
                                                          <div>
                                                          <div>Really??
                                                          Its not on the
                                                          agenda yet for
                                                          the next
                                                          meeting??</div>
                                                          <div>How does
                                                          it get added
                                                          to the agenda?<br>
                                                          </div>
                                                          And that was a
                                                          formal request
                                                          if that makes
                                                          any difference
                                                          :)<br>
                                                          </div>
                                                          I'm all in
                                                          favour of
                                                          getting the
                                                          facts straight
                                                          before any
                                                          actions are
                                                          taken, hence
                                                          my request for
                                                          an 'ethical
                                                          review' or
                                                          whatever it
                                                          should be
                                                          called.<br>
                                                          <br>
                                                        </div>
                                                        <div>Cheers,<br>
                                                          <br>
                                                        </div>
                                                        <div>Simon<br>
                                                        </div>
                                                      </div>
                                                      <div
                                                        class="gmail_extra"><br>
                                                        <div
                                                          class="gmail_quote">On
                                                          Tue, Oct 6,
                                                          2015 at 3:07
                                                          PM, Michael
                                                          Coates <span
                                                          dir="ltr"><<a
moz-do-not-send="true">michael.coates@owasp.org</a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div
                                                          dir="auto">
                                                          <div>First
                                                          step is to get
                                                          all of our
                                                          information
                                                          straight so
                                                          we're clear on
                                                          where things
                                                          are at. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>This was
                                                          not on the
                                                          board agenda
                                                          last meeting
                                                          and is also
                                                          not on the
                                                          next agenda as
                                                          of yet (of
                                                          course it
                                                          could always
                                                          be added if
                                                          needed). </div>
                                                          <div><br>
                                                          </div>
                                                          <div>We are
                                                          aware that
                                                          people have
                                                          raised
                                                          questions
                                                          though.   I'm
                                                          hoping we can
                                                          get a clear
                                                          understanding
                                                          of all the
                                                          facts and then
                                                          discuss if
                                                          changes are
                                                          needed. </div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          On Oct 6,
                                                          2015, at 1:52
                                                          AM, psiinon
                                                          <<a
                                                          moz-do-not-send="true">psiinon@gmail.com</a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote
                                                          type="cite">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Hey
                                                          Michael,<br>
                                                          <br>
                                                          Is the board
                                                          going to take
                                                          any action?<br>
                                                          </div>
                                                          Were there any
                                                          discussions
                                                          about this
                                                          controversy in
                                                          the board
                                                          meeting at
                                                          AppSec USA?<br>
                                                          </div>
                                                          If not will it
                                                          be on the
                                                          agenda for the
                                                          meeting on
                                                          October 14th?<br>
                                                          <br>
                                                          </div>
                                                          Cheers,<br>
                                                          <br>
                                                          </div>
                                                          Simon<br>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Tue, Oct 6,
                                                          2015 at 8:25
                                                          AM, Michael
                                                          Coates <span
                                                          dir="ltr"><<a
moz-do-not-send="true">michael.coates@owasp.org</a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div
                                                          dir="auto">
                                                          <div>Simon</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I posted
                                                          the below
                                                          message
                                                          earlier today.
                                                          At this point
                                                          my goal is to
                                                          just gain
                                                          clarity over
                                                          the current
                                                          reality and
                                                          ideally drive
                                                          to a shared
                                                          state of
                                                          success. This
                                                          message
                                                          doesn't seem
                                                          to be
                                                          reflected in
                                                          the list yet.
                                                          It could be
                                                          because my
                                                          membership
                                                          hasn't been
                                                          approved or
                                                          because of
                                                          mail list
                                                          delays (I miss
                                                          Google
                                                          groups). But I
                                                          think these
                                                          questions will
                                                          start the
                                                          conversation. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>(This was
                                                          just me asking
                                                          questions as a
                                                          curious Owasp
                                                          member, not
                                                          any action on
                                                          behalf of the
                                                          board)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)"><br>
                                                          <br>
                                                          <br>
                                                          Begin
                                                          forwarded
                                                          message:<br>
                                                          <br>
                                                          </span></div>
                                                          <blockquote
                                                          type="cite"><font
color="#000000"><span style="background-color:rgba(255,255,255,0)"><b>From:</b> Michael
                                                          Coates <<a
moz-do-not-send="true">michael.coates@owasp.org</a>><br>
                                                          <b>Date:</b> October
                                                          5, 2015 at
                                                          6:20:23 PM PDT<br>
                                                          <b>To:</b> <a
moz-do-not-send="true">owasp-benchmark-project@lists.owasp.org</a><br>
                                                          <b>Subject:</b> <b>Project
                                                          Questions</b><br>
                                                          <br>
                                                          </span></font></blockquote>
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr"><font
color="#000000"><span style="background-color:rgba(255,255,255,0)">OWASP
                                                          Benchmark
                                                          List,</span></font>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">I've heard more about this
                                                          project and am
                                                          excited about
                                                          the idea of an
                                                          independent
                                                          perspective of
                                                          tool
                                                          performance.
                                                          I'm trying to
                                                          understand a
                                                          few things to
                                                          better respond
                                                          to questions
                                                          from those in
                                                          the security
                                                          & OWASP
                                                          community.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">In my mind there are two
                                                          big areas for
                                                          consideration
                                                          in a benchmark
                                                          process.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">1. Are the benchmarks
                                                          testing the
                                                          right areas?</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">2. Is the process for
                                                          creating the
                                                          benchmark
                                                          objective
                                                          & free
                                                          from conflicts
                                                          of interest.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">I think as a group OWASP is
                                                          the right body
                                                          to align on
                                                          #1.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">I'd like to ask for some
                                                          clarifications
                                                          on item #2. I
                                                          think it's
                                                          important to
                                                          avoid actual
                                                          conflict of
                                                          interest and
                                                          also the
                                                          appearance of
                                                          conflict of
                                                          interest. The
                                                          former is
                                                          obvious why we
                                                          mustn't have
                                                          that, the
                                                          latter is
                                                          critical so
                                                          others have
                                                          faith in the
                                                          tool, process
                                                          and outputs of
                                                          the process
                                                          when viewing
                                                          or hearing
                                                          about the
                                                          project.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">1) Can we clarify whether
                                                          other
                                                          individuals
                                                          have submitted
                                                          meaningful
                                                          code to the
                                                          project? </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Nearly all the code commits
                                                          have come from
                                                          1 person
                                                          (project
                                                          lead).</span></font></div>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://github.com/OWASP/Benchmark/graphs/contributors"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font color="#000000">https://github.com/OWASP/Benchmark/graphs/contributors</font></a></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">2) Can we clarify the
                                                          contributions
                                                          of others and
                                                          their
                                                          represented
                                                          organizations?</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">The acknowledgements tab
                                                          listed two
                                                          developers
                                                          (Juan Gama
                                                          & Nick
                                                          Sanidas) both
                                                          who work at
                                                          the same
                                                          company as the
                                                          project lead.
                                                          It seems other
                                                          people have
                                                          submitted some
                                                          small amounts
                                                          of material,
                                                          but overall it
                                                          seems all
                                                          development
                                                          has come from
                                                          the same
                                                          company.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><a moz-do-not-send="true"
                                                          href="https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements"
target="_blank">https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements</a><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">3) Can we clarify in what
                                                          ways we've
                                                          mitigated the
                                                          potential
                                                          conflict of
                                                          interest and
                                                          also the
                                                          appearance of
                                                          a conflict of
                                                          interest? This
                                                          seems like the
                                                          largest
                                                          blocker for
                                                          wide spread
                                                          acceptance of
                                                          this project
                                                          and the
                                                          biggest risk. </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">The project lead and both
                                                          of the project
                                                          developers
                                                          works for a
                                                          company with
                                                          very close
                                                          ties to one of
                                                          the companies
                                                          that is
                                                          evaluated by
                                                          this project.
                                                          Further, it
                                                          appears the
                                                          company is
                                                          performing
                                                          very well on
                                                          the project
                                                          tests. </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">4) If we are going to list
                                                          tool vendors
                                                          then I'd
                                                          recommend
                                                          listing
                                                          multiple
                                                          vendors for
                                                          each
                                                          category. </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">The tools page only lists 1
                                                          IAST tool.
                                                          Since this is
                                                          the point of
                                                          the potential
                                                          conflict of
                                                          interest it is
                                                          important to
                                                          list numerous
                                                          IAST tools.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><a moz-do-not-send="true"
href="https://www.owasp.org/index.php/Benchmark#tab=Tool_Support_2FResults"
target="_blank">https://www.owasp.org/index.php/Benchmark#tab=Tool_Support_2FResults</a><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">5) Diverse body with
                                                          multiple
                                                          points of view</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">There is no indication that
                                                          multiple
                                                          stakeholders
                                                          are present to
                                                          review and
                                                          decide on the
                                                          future of this
                                                          project. If
                                                          they exist, a
                                                          new section
                                                          should be
                                                          added to the
                                                          project page
                                                          to raise
                                                          awareness. If
                                                          they don't
                                                          exist, we
                                                          should
                                                          reevaluate how
                                                          we are
                                                          obtaining an
                                                          independent
                                                          view of the
                                                          testing
                                                          process.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Again, I think the idea of
                                                          the project is
                                                          great. From my
                                                          perspective
                                                          clarifying
                                                          these
                                                          questions will
                                                          help ensure
                                                          the project is
                                                          not only
                                                          objective, but
                                                          also perceived
                                                          as objective
                                                          from someone
                                                          reviewing the
                                                          material.
                                                          Ultimately
                                                          this will
                                                          contribute to
                                                          the success
                                                          and growth of
                                                          the project.</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)">Thanks!</span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <span><font
                                                          color="#888888">
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr"><font
color="#000000"><span style="background-color:rgba(255,255,255,0)">--<br>
                                                          Michael Coates</span></font></div>
                                                          <div dir="ltr">
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font
                                                          color="#000000"><span
style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          </blockquote>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          On Oct 2,
                                                          2015, at 1:31
                                                          AM, psiinon
                                                          <<a
                                                          moz-do-not-send="true">psiinon@gmail.com</a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote
                                                          type="cite">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>OK, based
                                                          on the
                                                          concerns
                                                          raised so far
                                                          I think the
                                                          board should
                                                          initiate a
                                                          review of the
                                                          OWASP
                                                          Benchmark
                                                          project.<br>
                                                          </div>
                                                          I'm not
                                                          raising a
                                                          formal
                                                          complaint
                                                          against it,
                                                          I'm just
                                                          requesting a
                                                          review.<br>
                                                          </div>
                                                          And I dont
                                                          think it needs
                                                          a 'standard'
                                                          project review
                                                          - Johanna has
                                                          already done a
                                                          very good job
                                                          of this.<br>
                                                          </div>
                                                          Not sure what
                                                          sort of review
                                                          you'd call it,
                                                          I'll leave the
                                                          naming to
                                                          others :)<br>
                                                          <br>
                                                          </div>
                                                          <div>I'm
                                                          concerned that
                                                          we have an
                                                          OWASP project
                                                          lead by a
                                                          company who
                                                          has a clear
                                                          commercial
                                                          stake in the
                                                          results.<br>
                                                          </div>
                                                          <div>Bringing
                                                          more companies
                                                          on board will
                                                          help, but I'm
                                                          still not sure
                                                          that alone
                                                          will make it
                                                          independent
                                                          enough.<br>
                                                          </div>
                                                          <div>Commercial
                                                          companies can
                                                          afford to
                                                          dedicate staff
                                                          to improving
                                                          Benchmark so
                                                          that their
                                                          products look
                                                          better.<br>
                                                          </div>
                                                          <div>Open
                                                          source
                                                          projects just
                                                          cant do that,
                                                          so we are at a
                                                          distinct
                                                          disadvantage.<br>
                                                          </div>
                                                          <div>Should we
                                                          allow a
                                                          commercially
                                                          driven OWASP
                                                          project who's
                                                          aim could be
                                                          seen be to
                                                          promote
                                                          commercial
                                                          software?<br>
                                                          </div>
                                                          <div>If so,
                                                          what sort of
                                                          checks and
                                                          balances does
                                                          it need?<br>
                                                          </div>
                                                          <div>Those are
                                                          the sort of
                                                          questions I'd
                                                          like an
                                                          independent
                                                          review to look
                                                          at.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I do
                                                          think there
                                                          are some
                                                          immediate
                                                          steps that
                                                          could be
                                                          taken:<br>
                                                          </div>
                                                          <ul>
                                                          <li>I'd like
                                                          to see the
                                                          Benchmark
                                                          project page
                                                          clearly state
                                                          thats its at a
                                                          very early
                                                          stage and that
                                                          the results
                                                          are _not_ yet
                                                          suitable for
                                                          use in
                                                          commercial
                                                          literature.</li>
                                                          <li>I'd also
                                                          like the main
                                                          companies
                                                          developing
                                                          Benchmark to
                                                          be clearly
                                                          stated on the
                                                          main page. If
                                                          and when other
                                                          companies get
                                                          involved then
                                                          this would
                                                          actually help
                                                          the project's
                                                          claim of
                                                          vendor
                                                          independence.</li>
                                                          <li>And I'd
                                                          love to see a
                                                          respected
                                                          co-leader
                                                          added to the
                                                          project who is
                                                          not associated
                                                          with any
                                                          commercial or
                                                          open source
                                                          security
                                                          tools:)</li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>And we
                                                          should carry
                                                          on discussing
                                                          the project on
                                                          this list - I
                                                          think such
                                                          discussions
                                                          are very
                                                          healthy, and
                                                          I'd love to
                                                          see this
                                                          project mature
                                                          to a state
                                                          where it can
                                                          be a trusted,
                                                          independent
                                                          and valued
                                                          resource.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Cheers,<br>
                                                          <br>
                                                          </div>
                                                          <div>Simon<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Thu, Oct 1,
                                                          2015 at 7:59
                                                          PM, Tobias <span
                                                          dir="ltr"><<a
moz-do-not-send="true">tobias.gondrom@owasp.org</a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div
                                                          bgcolor="#FFFFFF"
                                                          text="#000000">
                                                          <div>@Simon: <br>
                                                          yes, the
                                                          leaders list
                                                          is the place
                                                          for your
                                                          discussions
                                                          for project
                                                          and chapter
                                                          leaders<br>
                                                          @Timo: I like
                                                          your framing
                                                          of "Don't ask
                                                          what OWASP can
                                                          do for me, ask
                                                          what I can do
                                                          for OWASP." <br>
                                                          That should
                                                          and is indeed
                                                          the spirit of
                                                          OWASP:-) <br>
                                                          Best regards,
                                                          Tobias
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          <br>
                                                          On 30/09/15
                                                          09:42, Timo
                                                          Goosen wrote:<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">I
                                                          don't know
                                                          enough about
                                                          the matter to
                                                          comment on
                                                          this case, but
                                                          I feel that
                                                          any situation
                                                          where an OWASP
                                                          project or any
                                                          OWASP
                                                          initiative for
                                                          that matter,
                                                          is using OWASP
                                                          to promote its
                                                          own business
                                                          interests
                                                          should be
                                                          stopped.  We
                                                          need to get
                                                          rid of bad
                                                          apples in
                                                          OWASP.
                                                          <div><br>
                                                          </div>
                                                          <div>OWASP is
                                                          becoming a
                                                          brand if you
                                                          would like to
                                                          think of it
                                                          that way and
                                                          we are going
                                                          to see many
                                                          more cases of
                                                          people trying
                                                          to use OWASP
                                                          to spread
                                                          their business
                                                          interests. At
                                                          the end of the
                                                          day everyone
                                                          should be
                                                          acting with an
                                                          attitude
                                                          of:"Don't ask
                                                          what OWASP can
                                                          do for me, ask
                                                          what I can do
                                                          for OWASP?"</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Regards.</div>
                                                          <div>Timo</div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Wed, Sep 30,
                                                          2015 at 11:48
                                                          AM, psiinon <span
                                                          dir="ltr"><<a
moz-do-not-send="true">psiinon@gmail.com</a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>So, a
                                                          load of
                                                          controversy
                                                          about OWASP
                                                          Benchmark on
                                                          twitter, but
                                                          no discussion
                                                          on the leaders
                                                          list :(<br>
                                                          </div>
                                                          Is this now
                                                          the wrong
                                                          place to
                                                          discuss OWASP
                                                          projects??<br>
                                                          <br>
                                                          </div>
                                                          Simon<br>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Thu, Sep 24,
                                                          2015 at 10:36
                                                          AM, psiinon <span
                                                          dir="ltr"><<a
moz-do-not-send="true">psiinon@gmail.com</a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>Hi folks,<br>
                                                          <br>
                                                          I've got some
                                                          concerns about
                                                          the OWASP
                                                          Benchmark
                                                          project.<br>
                                                          <br>
                                                          I _like_
                                                          benchmarks,
                                                          and I'm very
                                                          pleased to see
                                                          an active
                                                          OWASP project
                                                          focused on
                                                          delivering
                                                          one.<br>
                                                          I think the
                                                          project has
                                                          some technical
                                                          limitations,
                                                          but thats fine
                                                          given the
                                                          stage the
                                                          project is at,
                                                          ie _very_
                                                          early.<br>
                                                          I dont think
                                                          that any firm
                                                          conclusions
                                                          should be
                                                          drawn from it
                                                          until its been
                                                          significantly
                                                          enhanced.<br>
                                                          <br>
                                                          My concerns
                                                          are around the
                                                          marketing that
                                                          one of the
                                                          companies
                                                          sponsoring the
                                                          Benchmark
                                                          project has
                                                          started using.<br>
                                                          <br>
                                                          Here we have a
                                                          company that
                                                          leads an OWASP
                                                          project that
                                                          just happens
                                                          to show that
                                                          their offering
                                                          in this area
                                                          appears to be
                                                          _significantly_
                                                          better than
                                                          any of the
                                                          competition.<br>
                                                          Their recent
                                                          press release
                                                          stresses that
                                                          its an OWASP
                                                          project, make
                                                          the most of
                                                          the fact that
                                                          the US DHS
                                                          helped fund it
                                                          but make no
                                                          mention of
                                                          their role in
                                                          developing it.<br>
                                                          <br>
                                                          Regardless of
                                                          the accuracy
                                                          of the
                                                          results, it
                                                          seems like a
                                                          huge conflict
                                                          of interest :(<br>
                                                          <br>
                                                          It appears
                                                          that I'm not
                                                          the only one
                                                          with concerns
                                                          related to the
                                                          project:<br>
                                                          <br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet"
target="_blank">https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet</a><br>
                                                          <br>
                                                          </div>
                                                          What do other
                                                          people think?<br>
                                                          <br>
                                                          </div>
                                                          Cheers,<br>
                                                          <br>
                                                          </div>
                                                          Simon<span><font
color="#888888"><span><font color="#888888"><br clear="all">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          -- <br>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></font></span></div>
                                                          <span><font
                                                          color="#888888">
                                                          </font></span></blockquote>
                                                          </div>
                                                          <span><font
                                                          color="#888888"><br>
                                                          <br
                                                          clear="all">
                                                          <br>
                                                          -- <br>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </font></span></div>
                                                          <br>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          rel="noreferrer"
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br
                                                          clear="all">
                                                          <br>
                                                          -- <br>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          <blockquote
                                                          type="cite">
                                                          <div><span>_______________________________________________</span><br>
                                                          <span>OWASP-Leaders
                                                          mailing list</span><br>
                                                          <span><a
                                                          moz-do-not-send="true">OWASP-Leaders@lists.owasp.org</a></span><br>
                                                          <span><a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br
                                                          clear="all">
                                                          <br>
                                                          -- <br>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                        </div>
                                                        <br>
                                                        <br clear="all">
                                                        <br>
                                                        -- <br>
                                                        <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </blockquote>
                                                </div>
                                              </blockquote>
                                            </div>
                                          </div>
                                        </blockquote>
                                        <blockquote type="cite">
                                          <div><span>_______________________________________________</span><br>
                                            <span>Owasp-board mailing
                                              list</span><br>
                                            <span><a
                                                moz-do-not-send="true">Owasp-board@lists.owasp.org</a></span><br>
                                            <span><a
                                                moz-do-not-send="true"
                                                href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
                                          </div>
                                        </blockquote>
                                      </div>
                                    </blockquote>
                                  </div>
                                </div>
                                <br>
_______________________________________________<br>
                                Owasp-board mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:Owasp-board@lists.owasp.org"
                                  target="_blank">Owasp-board@lists.owasp.org</a><br>
                                <a moz-do-not-send="true"
                                  href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                  rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                <br>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      Owasp-board mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:Owasp-board@lists.owasp.org"
                        target="_blank">Owasp-board@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                        rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <div><a moz-do-not-send="true"
                      href="https://www.owasp.org/index.php/ZAP"
                      target="_blank">OWASP ZAP</a> Project leader<br>
                  </div>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-board mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-board"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>