<div dir="ltr"><div>I don't know what qualifies as "significant" in your mind, but my understanding is that there have been contributions from other vendors:<br><br><a href="https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements">https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements</a><br><br></div><div>Still, Dave would like more, but he can't force them to help.<br></div><div><br></div>~josh<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 27, 2015 at 1:45 PM, Tony Turner <span dir="ltr"><<a href="mailto:tony.turner@owasp.org" target="_blank">tony.turner@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">While I can appreciate that they started with Contrast, if there hasn't been significant effort to include other vendors it's a worthless benchmark. It's easy to state you haven't gotten support from other vendors and that's fine, but until you do there's really nothing to release. Why was it ever upgraded? Talking about the results without an accurate comparative analysis is akin to snake oil. </p>
<div class="gmail_quote">On Nov 27, 2015 1:49 PM, "Josh Sokol" <<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Thank you for the links to those articles.  The first one discusses the strengths and weaknesses of the different methods of evaluating for application vulnerabilities.  The section on the Benchmark seems wholly appropriate to me.  That seems like an excellent description of what the project is designed to do.  I see some metrics in there about which tools are more effective on which types of vulnerabilities, but I don't see him straight up saying "The OWASP Benchmark proves that Contrast is better".  This seems like statements made based on some level of testing and research.  Honestly, I don't see any OWASP brand abuse in that article.  Whether it's in good taste or not at this stage in the project is certainly debatable, but if you look at the brand usage guidelines (<a href="https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES" target="_blank">https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES</a>), I don't see any violations.  We need to govern to policy here which is why Paul and Noreen are evaluating changes to the guidelines and our enforcement policies to make abuse more difficult.<br><br></div>The second article is a competing vendor's reaction to the first.  He makes some good points about the issues with Benchmark, but he also says that he hopes that it will be improved over time, and Dave has committed to that.  What I don't see is the vendor saying "...and Veracode has committed resources to help make the Benchmark more accurate across all tool sets".  The Benchmark page is pretty clear that it does it's best to provide a benchmark without working exactly like a real-world application.  Maybe some more disclaimer text about where the project is at today would be in order to validate some of Chris' concerns, but I hardly see this as "brand abuse" or a reason to demote the project.<br><br></div><div>Please consider that I have spoken with both Dave and Jeff on this topic and read much of the discussions around it before formulating my opinion.  I doubt that you have done the same so I'm not sure how you can claim that you have researched the issues and all parties involved when you haven't even spoken with the two people whom you are accusing of impropriety.  I have no bias here.  I am simply speaking with the individuals involved, looking at the currently OWASP policies and guidelines, and helping to determine our next steps.  <br></div><div><br></div>~josh<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 27, 2015 at 12:22 PM, johanna curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-size:13px">>>While I agree with you that there has been some brand abuse, it was abuse by Contrast (specifically their marketing department), and not by "these gentlemen" as  you state. </span><div><br></div><div>Really? ..'some brand abuse'..this is more than brand abuse<br><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">Josh , please read also the article written by Jeff</span></div></div><div><a href="http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274" target="_blank">http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274</a>?<span style="font-size:13px"><br></span></div><div><span style="font-size:13px"><br></span></div><div>And Veracode's reaction including others in Twitter</div><div><a href="https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet" target="_blank">https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet</a><br></div><div><br></div><div>My strong advice is to research the issues and all the parties involved before making statements</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 27, 2015 at 2:07 PM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Jim,<br><br></div>A concern was expressed to the Board and, frankly, I am insulted by you saying that this was "brushed under the rug".  The Board delegated Matt to talk with Dave and they had a lengthy conversation on the subject.  The Board delegated me to talk with Jeff and we had a lengthy conversation on the subject.  If you do not trust in our abilities to read people, ask the right 
questions, and provide honest feedback about our conversations, then 
that's a bigger issue that we should take offline.  After our conversations, we took the time to call a special two-hour session of the Board in order to discuss this subject (and only this subject).  We spoke about all facets of the issue at hand, about the challenges and possible solutions, and concluded on some very concrete next steps.  <br><br>While I agree with you that there has been some brand abuse, it was abuse by Contrast (specifically their marketing department), and not by "these gentlemen" as  you state.  Unless you can point to some sort of evidence showing that Jeff and/or Dave first-hand abused the brand, then I believe that you are speaking with your heart instead of with your head.  I appreciate your passion, but I label this as conspiracy theory because without evidence to support your claims, I cannot accept it as anything other.<span><font color="#888888"><br><br></font></span></div><span><font color="#888888">~josh <br></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 27, 2015 at 11:39 AM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Josh,</div><div><br></div><div>I stand by my comments and perspective, but I'm disheartened that you consider my presentation of facts (and the concerns of many active members of our community) as a "conspiracy theory".</div><div><br></div><div>In my experience, these kind of comments border on insults and only cause folks to harden their opinions.<br><br>Once again I feel these gentlemen got away with a kind of brand abuse that is very hurtful to the OWASP community but I am at a loss as to how handle or prevent these kinds of mishaps - especially when board members like yourself seem willing to - from what I see - brush it under the rug.</div><span><div><br></div><div><div>--</div><div>Jim Manico</div><div><div><div style="word-wrap:break-word"><div><span style="background-color:rgba(255,255,255,0)">Global Board Member</span></div><span style="background-color:rgba(255,255,255,0)">OWASP Foundation</span><div><a href="https://www.owasp.org/" style="background-color:rgba(255,255,255,0)" target="_blank"><font color="#000000">https://www.owasp.org</font></a></div></div></div><div><span style="background-color:rgba(255,255,255,0)">Join me in Rome for AppSecEU 2016!</span></div></div></div></span><div><div><div><br>On Nov 27, 2015, at 7:23 PM, Josh Sokol <<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div><div><div><div><div>Admittedly, this was my gut reaction at first as well.  I began linking all of these companies, people, and projects together in my mind (there are some loose links there) and painted a big conspiracy picture similar to what Jim and Dinis have stated.  But, after speaking directly with Jeff, and hearing about the conversation that Dave and Matt had, I've changed my mind.  <br><br></div>I think it begins with the project itself.  If you aren't sold on the idea of the Benchmark, then you'll never be able to get to the same place.  My original line of thinking was that it was just a bar for vendors to compare their tools against eachother, but that's a bit myopic.  We are in an industry where things evolve very quickly.  As a customer of these tools, I know firsthand that something that a tool does today may not be the case a week from now.  Likewise, new features are being added daily and I need a point-in-time metric to be able to gauge continual effectiveness.  Cool, right?  But not a game changer.  The game changer part comes when you realize that by developing and evolving the tests that go into the Benchmark, we are moving the bar higher and higher.  We (OWASP) are effectively setting the standard by which these tools will be compared.  A tool that receives a lower score on the Benchmark today knows exactly what they need to work on in order to pass that test tomorrow and we already have examples of tools that have made improvements because of their Benchmark score (Ask Simon about ZAP's experience with the Benchmark).  I don't think that anyone can argue that the Benchmark project isn't being effective when OWASP's own tools are being driven forward as a result of using it.<br><br></div>But, but, but, Dave and Jeff own Aspect and have stock in Contrast and Jeff is the Contrast CTO and Contrast got good scores so it's a conspiracy right?  Is there some code that allows Contrast to use the Benchmark?  Absolutely.  Can you really blame Dave for starting his testing on the effectiveness of the Benchmark with a tool that he owned and is familiar with?  If I were going to start a similar project, there's no question in my mind that I would begin my testing with the tools that I have available to me.  That said, is there code that allows other tools to use the Benchmark?  Absolutely.  <br><br></div>Regarding "Dave has a history of breaching his duty to be vendor neutral", while I cannot comment on his past actions, I can judge what we've seen recently.  Matt saw a presentation from Dave on the Benchmark at a conference in Chicago.  He said that he felt that the message was appropriate and while IAST tools were mentioned as receiving higher scores, it wasn't a "Contrast is the best" type of message, more of a generality.  I saw a very similar (if not the same) talk by Jeff at LASCON 2015 and the message was exactly the same.  I watched the talk expecting some sort of impropriety, but found none.  So, perhaps Dave has abused some privilege granted to him in the past, but what I've seen from him at this point, with respect to the Benchmark, has been appropriate.<br><br></div>You have a very good point with respect to the Contrast marketing message around the Benchmark.  It's been completely absurd, over the top, and, in my personal opinion, intolerable.  In fact, I experienced the same thing that you talked about with them at LASCON 2015 where they stood in front of the door of the room Jeff was speaking in and scanned attendees as they went into the talk.  I agree that these types of aggressive marketing tactics cannot be tolerated at OWASP.  In addition, we have seen several marketing messages from them effectively implying that OWASP endorses Contrast.  Clearly this is not OK.  I've spoken with Jeff about it and we agreed that it is not in the Benchmark's best interest to have this aggressive Contrast marketing around it at such an early stage.  He has said that he is not responsible for Contrast's marketing team, but that he would speak with the people who are.  I haven't seen a single message from them since so I'm guessing that he's made good on this promise.  While that's an excellent start, OWASP's takeaway here should be that we need to do a better job with our brand usage guidelines both in terms of the wording and enforcement.  There are many other companies out there that use the OWASP brand and I think that we agree that selective enforcement against Contrast is not the right answer.  Paul and Noreen are actively working on this.  Either way, I think that implying that activities from a vendor's marketing department means that the project is not objective is not inappropriate.  If we feel that the project is not objective, then separate measures need to be taken to drive contribution diversity into it.  That I absolutely agree with and the message from Dave was that he would love to have more contributors to his project.  But, seeing as we cannot force people to work on it, this becomes a matter of "put up or shut up".  The same goes for the experts that you said reviewed the code.  If they feel that it is somehow skewed towards Contrast, they have the power to change that.  Now, if someone tries to participate and Dave tells them "No thanks", then I agree we have a problem, but I don't hear anyone inferring that happened.<br><br></div>Please, let's drop the conspiracy theories and focus on the tangible things that we can do to help an OWASP project to be more successful.  Help find more participants to drive diversity, update our brand usage guidelines to prevent abuse, enforce them widely, etc.  Thank you.<br><br></div>~josh<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 26, 2015 at 4:24 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Dinis,</div><div><br></div><div>Like a rare celestial moment when all the planets plus Pluto are aligned, I just read your email on the future of OWASP projects thinking, "Dinis is spot on".</div><div><br></div><div>Reflecting on projects I manage or work on...</div><div><br></div><div>The Java Encoder and HTML Sanitizer are likely best moved to Apache now that they have reached a measure of adoption and maturity. Apache would be a much better long term custodian. Perhaps the same for AppSensor, but not my project - just thinking out loud.</div><div><br></div><div>Other similar defensive projects are still being noodled on, so OWASP is a decent home for these research efforts.</div><div><br></div><div>The whole tools category is also something to consider. Dependency Check and of course ZAP are some of the best projects that OWASP offers, are they best served where they are today? Both have rich communities of developers but I don't see the foundation doing much to support these efforts.</div><div><br></div><div>ASVS has the opportunity to effect massive change, I would to love to see major investment and volunteer activity here. Pro tech writer, detailed discourses on each individual requirement, etc. If I was king (and I am not, at all) I would invest in ASVS on a 6 figure scale. (And who started ASVS? Jeff, Dave and Boberski, hat tip to such a marvelous idea). Or maybe moving ASVS to the W3C or IETF would help it grow?</div><div><br></div><div>The Proactive Controls was a pet project but as we approach 2.0 we have several active/awesome volunteers working on it. We will be making the doc "world editable" to make contributions easy. OWASP seems like a good home for such an awareness doc. Same with T10, especially if community edits are welcome.</div><div><br></div><div>Anyhow, I'm with you on this Dinis. Once a project starts to reach production quality, spinning off the project as an external project or moving it to a different foundation where managing production software or formal standards is their thing seems realistic.</div><div><br></div><div>I don't have all the answers here, but your email certainly resonated with me.</div><div><br></div><div>Aloha,</div><div><div>--</div><div>Jim Manico</div><div><div><div style="word-wrap:break-word"><div><span style="background-color:rgba(255,255,255,0)">Global Board Member</span></div><span style="background-color:rgba(255,255,255,0)">OWASP Foundation</span><div><a href="https://www.owasp.org/" style="background-color:rgba(255,255,255,0)" target="_blank"><font color="#000000">https://www.owasp.org</font></a></div></div></div><div><span style="background-color:rgba(255,255,255,0)">Join me in Rome for AppSecEU 2016!</span></div></div></div><div><br>On Nov 26, 2015, at 11:26 PM, Dinis Cruz <<a href="mailto:dinis.cruz@owasp.org" target="_blank">dinis.cruz@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Jim's reading of this situation is exactly my view on the value of the Contrast tool and how it has been 'pushing' the rules of engagement to an very 'fuzzy' moral/ethical/commercial limit :)<div><br></div><div>As per my last email, a key problem here is the 'perceived expectation' of what is an OWASP project, and how it should be consumed.</div><div><br></div><div>If you look at the OWASP benchmark as a research project, then the only way it could be making the kind of claims it makes (and have credibility) is if it had evolved from OWASP, with its own (diverse) community </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 November 2015 at 21:01, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>I have a different take on this situation but my opinion is the "minority opinion". I will respect the rest of the boards take on this, but here is how I see it.</div><div><br></div><div>First of all, Jeff has stated that he feels I am attacking him personally from a past personal grudge, and frankly I do not fault him for that perspective since we definitely have history with conflict. So it's fair to take my opinion on this with a grain of salt.</div><div><br></div><div>I look at this situation from the perspective of a forensic investigator.</div><div><br></div><div>1) The Benchmark project had Contrast hooks and only Contrast hooks in it when I reviewed it so this leads me to believe that the project was clearly built with Contrast in mind from the ground up, at least in some way.</div><div>3) Dave has a history of breaching his duty to be vendor neutral. He was gifted with a keynote in South Korea a few years ago, and used that opportunity to discuss and pitch Contrast, on stage, during a keynote - with Contrast specific slides. This is just supporting evidence of his intention at OWASP to push Contrast in ways that I think are against the intentions and goals of our foundation.</div><div>3) Other experts have reviewed the project and felt that many of the tests were very slanted and almost contrived to support Contrast. I can drag those folks into this conversation, but I do not think that would help in any way. So it's fair to call this point heresy. </div><div>4) I do not see this project as revolutionary, at all. Every vendor has their own test suite tuned for their tool. As the benchmark stands today, I see it as just another vendors product-specific benchmark. Mass collaboration from many vendors is not just a "nice to have" but a base requirement to get even close to useful for objective tool measurement.</div><div>5) Jeff stating that his Marketing people went over the line is also an admission that - well, they went over the line. By the same token Jeff was in his booth at AppSec USA surrounded by benchmark marketing material, discussing this to prospects and he even asked me and Mr Coates to wade into this debate and support Dave. So to say he was not involved and it was only his marketing people seems a stretch at best.</div><div>6) The Contrast marketing team was wandering around the conference zapping folks to get leads, and I asked them to stay in their booth, which is standard conference policy. These folks know better but are again going over the line to sell product at OWASP. There is a better way (like focusing on product capability and language support, have consistent + stellar customer service, have a humble and gracious attitude to all prospects and customers, actively participate in OWASP in a vendor neutral and community supportive way, etc).</div><div><br></div><div>Please note, I think Contrast is a decent tool, I've offered to resell in the past, and I have recommended it in certain situations - even after this situation arose. I'm stating this out of honestly and desire to put my cards on the table. I truly want Jeff and Dave to be successful. They have dedicated their lives to AppSec and if anyone should win big-time, I hope it's them. I even told Jeff I hope he hits the mother load and donates a little back to OWASP.</div><div><br></div><div>However, my instinct and evidence tell me that they both went over the line in the use of the OWASP brand to sell product.</div><div><br></div><div>Now, Jeff makes a good point. We as a board and staff are very poor at enforcing brand management policy and it's not fair to single out Contrast, when many other vendors violate the brand, IMO. Just google OWASP and watch the ads fly that use the OWASP name to sell product.</div><div><br></div><div>Also, any and every request that was made of Dave to adjust the project for the sake of vendor neutrality was taken very seriously. Regardless of Daves past intentions, he is clearly trying to do the right thing moving forward.</div><div><br></div><div>I look to "postels principle" in this situation (this is otherwise known as the "robustness principle" and dates back to the creation of TCP) . This is paraphrased as, "Be liberal in what you take from others but be conservative in what you dish out". So I think it's critical that OWASP and any OWASP resource present itself in a strict vendor neutral way. But unless OWASP wants to be much more "even" in the enforcement of brand policy across the board to all violators, we should be fairly lax in the enforcement of these issues from the outside world.</div><div><br></div><div>I am trying to be objective here. My trigonometry teacher once told me "I'd fail my mother" when I asked him if he would ever fail me (I was an A student). If my mother owned a security company and tried the same stunt, I'd have the same opinions about her actions as well. </div><div><br></div><div>So what next? Well hello from the other side. I'm going back to listening to Adele's new album where I can sit in my deep feelings and reflect upon what the OWASP foundation has done to enrich my life. I would much rather keep out of this (and any other conflict laden situation at OWASP), but I feel it's my responsibility to speak up.</div><div><br></div><div>Aloha,<br><div><div>--</div><div>Jim Manico</div><div><div><div style="word-wrap:break-word"><div><span style="background-color:rgba(255,255,255,0)">Global Board Member</span></div><span style="background-color:rgba(255,255,255,0)">OWASP Foundation</span><div><a href="https://www.owasp.org/" style="background-color:rgba(255,255,255,0)" target="_blank"><font color="#000000">https://www.owasp.org</font></a></div></div></div><div><span style="background-color:rgba(255,255,255,0)">Join me in Rome for AppSecEU 2016!</span></div></div></div></div><div><br>On Nov 26, 2015, at 9:09 PM, Josh Sokol <<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div>I would be happy to provide an update.<br><ul><li>Matt Konda and Dave Wichers, the Benchmark Project Leader, had a conversation a few weeks back.  To summarize their conversation, Dave acknowledges the currently lack of diversity in his project and it is his sincere desire to drive more people to it to help.  He also acknowledges the issues with Contrast's extreme marketing around the project and feels that it is in everyone's best interests for them to curb it back.  While he does have an ownership stake in Contrast, he works at Aspect and has no control over the marketing messages that they are putting out there.  From the Board perspective, there has been no evidence of any impropriety on Dave's part and it should be our goal to drive more diversity into the project to support Dave.  Dave appears to be sincere in his desires to create a tool where OWASP can tell vendors what we expect from their tools.  If the main issue is that only members of Aspect are working on it, then the best thing that we can do is try to get him some outside assistance.  We are also asking that the project be opened up to commits via Git so that outsiders can push commits to it.<br></li><li>Josh Sokol and Jeff Williams, the CTO of Contrast, had a conversation a few weeks back.  To summarize their conversation, Jeff believes that the work that Dave is doing on the Benchmark is a game changer in that it gives OWASP the power in dictating what these tools need to be finding.  He wants the Benchmark to be successful and understands that it needs to be diverse in order to be trusted.  He recognizes that Dave is trying to do that and does not want the marketing message from Contrast to interfere with his efforts.  Jeff felt that the "Lab" status granted to Benchmark meant that it was ready for mainstream adoption, that it had 21k tests, and was almost a year old, and didn't see anything wrong with marketing their results, but has agreed to talk to their marketing team to get them to lay off that message for now.  From the Board perspective, we have come to the realization that our brand usage guidelines need an overhaul to clarify what is and is not allowed.  We have made a few proposals and have reached out to Mozilla to gain more insight on their guidelines and even ask for assistance.  Noreen and Paul are taking lead on these efforts.</li><li>There is a note in the notes that the Board was supposed to follow up with an open letter to the community and companies involved describing our review and actions.  I don't think that has happened so I will remind the person who took on that action item.</li></ul></div>I'm happy to answer any questions that you may have.<br><br></div>~josh<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 26, 2015 at 11:55 AM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>There have been several conversations
      on that matter and a dedicated call. Unfortunately for personal
      reasons I could not attend the last call as it was at 04:00am my
      local time, but all other board members did participate. <br>
      <br>
      Could please one of my fellow board members give an update. <br>
      <br>
      Best, Tobias<br>
      <br>
      <br>
      <br>
      On 26/11/15 18:04, Timo Goosen wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I would also like to know the answer to Simon's
        question. We need to get rid of bad apples in OWASP in my
        opinion, there are too many people just using the OWASP "name"
        or "brand" to improve their own financial situation or career.
        <div><br>
        </div>
        <div>Regards.</div>
        <div>Timo</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 26, 2015 at 1:13 PM,
          psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>
                <div>
                  <div>
                    <div>
                      <div>Paul, and the rest of the board,<br>
                        <br>
                      </div>
                      Its been over 2 months since I raised this issue.<br>
                    </div>
                    Whats happening?<br>
                  </div>
                  Has the board even discussed it?<br>
                  <br>
                </div>
                Cheers,<br>
                <br>
              </div>
              Simon<br>
              <div>
                <div><br>
                </div>
              </div>
            </div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Tue, Oct 20, 2015 at 10:00
                    PM, Paul Ritchie <span dir="ltr"><<a href="mailto:paul.ritchie@owasp.org" target="_blank">paul.ritchie@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">Eoin, Johanna, All:
                        <div><br>
                        </div>
                        <div>In an earlier email, Josh Sokol mentioned
                          that he will be speaking in the next day or 2
                          to their CTO, while at LASCON, as a
                          representative of the OWASP Board.  Following
                          that feedback, the Board has action to take
                          the next steps.</div>
                        <div><br>
                        </div>
                        <div>Just an FYI that all comments are
                          recognized and action is being taken.</div>
                        <div><br>
                        </div>
                        <div>Paul</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                      </div>
                      <div class="gmail_extra"><br clear="all">
                        <div>
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>Best Regards, Paul Ritchie</div>
                                  <div>OWASP Executive Director</div>
                                  <div><a href="mailto:paul.ritchie@owasp.org" target="_blank">paul.ritchie@owasp.org</a></div>
                                  <div><br>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div>
                            <br>
                            <div class="gmail_quote">On Tue, Oct 20,
                              2015 at 1:54 PM, johanna curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Time for
                                owasp to do a public statement and put a
                                clear story regarding this abusive
                                behavior of Owasp brand
                                <div>
                                  <div><br>
                                    <br>
                                    On Tuesday, October 20, 2015, Eoin
                                    Keary <<a href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>>
                                    wrote:<br>
                                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                      <div dir="auto">
                                        <div>Folks,</div>
                                        <div><br>
                                        </div>
                                        <div>The project should be
                                          immediately shelved it's
                                          simply bad form.</div>
                                        <div><br>
                                        </div>
                                        <div>This is damaging to OWASP,
                                          the industry and exactly what
                                          OWASP is not about.</div>
                                        <div><br>
                                        </div>
                                        <div>There is a clear conflict
                                          of interest and distinct lack
                                          of science behind the claims
                                          made by Contrast.</div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                          <br>
                                          Eoin Keary
                                          <div>OWASP Volunteer</div>
                                          <div>@eoinkeary</div>
                                          <div><span style="font-size:13pt"><br>
                                            </span></div>
                                          <div><br>
                                          </div>
                                        </div>
                                        <div><br>
                                          On 7 Oct 2015, at 3:53 p.m.,
                                          johanna curiel curiel <<a>johanna.curiel@owasp.org</a>>
                                          wrote:<br>
                                          <br>
                                        </div>
                                        <blockquote type="cite">
                                          <div>At the moment we did the
                                            project review, we observed
                                            that the project did not
                                            have enough testing to be
                                            considered in any form as
                                            'ready'  for benchmarking,
                                            neither that it had yet the
                                            community adoption, however
                                            technically speaking as it
                                            has been classified by the
                                            leaders, the project is at
                                            the beta stage.
                                            <div><br>
                                            </div>
                                            <div>Indeed , Dave had the
                                              push to have the project
                                              reviewed but it was never
                                              clear that later on the
                                              project was going to be
                                              advertisied this way. That
                                              all happend after the
                                              presentation at Appsec.</div>
                                            <div><br>
                                            </div>
                                            <div>I had my concerns
                                              regarding how sensitive
                                              is the subject of the
                                              project ,but I think we
                                              should allow project
                                              leaders to develop their
                                              communication strategy
                                              even if this has conflict
                                              of interest. It all
                                              depends how they behave
                                              and how they manage this.</div>
                                            <div><br>
                                            </div>
                                            <div><br>
                                              On Tuesday, October 6,
                                              2015, Michael Coates <<a>michael.coates@owasp.org</a>>
                                              wrote:<br>
                                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                <div dir="auto">
                                                  <div>It's not really
                                                    that formal to add
                                                    to the agenda, just
                                                    a wiki that we add
                                                    in the text. </div>
                                                  <div><br>
                                                  </div>
                                                  <div>I think you can
                                                    safely assume it
                                                    will get the
                                                    appropriate
                                                    discussion. </div>
                                                  <div><br>
                                                    On Oct 6, 2015, at
                                                    7:16 AM, psiinon
                                                    <<a>psiinon@gmail.com</a>>
                                                    wrote:<br>
                                                    <br>
                                                  </div>
                                                  <blockquote type="cite">
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>
                                                          <div>
                                                          <div>Really??
                                                          Its not on the
                                                          agenda yet for
                                                          the next
                                                          meeting??</div>
                                                          <div>How does
                                                          it get added
                                                          to the agenda?<br>
                                                          </div>
                                                          And that was a
                                                          formal request
                                                          if that makes
                                                          any difference
                                                          :)<br>
                                                          </div>
                                                          I'm all in
                                                          favour of
                                                          getting the
                                                          facts straight
                                                          before any
                                                          actions are
                                                          taken, hence
                                                          my request for
                                                          an 'ethical
                                                          review' or
                                                          whatever it
                                                          should be
                                                          called.<br>
                                                          <br>
                                                        </div>
                                                        <div>Cheers,<br>
                                                          <br>
                                                        </div>
                                                        <div>Simon<br>
                                                        </div>
                                                      </div>
                                                      <div class="gmail_extra"><br>
                                                        <div class="gmail_quote">On
                                                          Tue, Oct 6,
                                                          2015 at 3:07
                                                          PM, Michael
                                                          Coates <span dir="ltr"><<a>michael.coates@owasp.org</a>></span> wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="auto">
                                                          <div>First
                                                          step is to get
                                                          all of our
                                                          information
                                                          straight so
                                                          we're clear on
                                                          where things
                                                          are at. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>This was
                                                          not on the
                                                          board agenda
                                                          last meeting
                                                          and is also
                                                          not on the
                                                          next agenda as
                                                          of yet (of
                                                          course it
                                                          could always
                                                          be added if
                                                          needed). </div>
                                                          <div><br>
                                                          </div>
                                                          <div>We are
                                                          aware that
                                                          people have
                                                          raised
                                                          questions
                                                          though.   I'm
                                                          hoping we can
                                                          get a clear
                                                          understanding
                                                          of all the
                                                          facts and then
                                                          discuss if
                                                          changes are
                                                          needed. </div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          On Oct 6,
                                                          2015, at 1:52
                                                          AM, psiinon
                                                          <<a>psiinon@gmail.com</a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Hey
                                                          Michael,<br>
                                                          <br>
                                                          Is the board
                                                          going to take
                                                          any action?<br>
                                                          </div>
                                                          Were there any
                                                          discussions
                                                          about this
                                                          controversy in
                                                          the board
                                                          meeting at
                                                          AppSec USA?<br>
                                                          </div>
                                                          If not will it
                                                          be on the
                                                          agenda for the
                                                          meeting on
                                                          October 14th?<br>
                                                          <br>
                                                          </div>
                                                          Cheers,<br>
                                                          <br>
                                                          </div>
                                                          Simon<br>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Tue, Oct 6,
                                                          2015 at 8:25
                                                          AM, Michael
                                                          Coates <span dir="ltr"><<a>michael.coates@owasp.org</a>></span> wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="auto">
                                                          <div>Simon</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I posted
                                                          the below
                                                          message
                                                          earlier today.
                                                          At this point
                                                          my goal is to
                                                          just gain
                                                          clarity over
                                                          the current
                                                          reality and
                                                          ideally drive
                                                          to a shared
                                                          state of
                                                          success. This
                                                          message
                                                          doesn't seem
                                                          to be
                                                          reflected in
                                                          the list yet.
                                                          It could be
                                                          because my
                                                          membership
                                                          hasn't been
                                                          approved or
                                                          because of
                                                          mail list
                                                          delays (I miss
                                                          Google
                                                          groups). But I
                                                          think these
                                                          questions will
                                                          start the
                                                          conversation. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>(This was
                                                          just me asking
                                                          questions as a
                                                          curious Owasp
                                                          member, not
                                                          any action on
                                                          behalf of the
                                                          board)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div><span style="background-color:rgba(255,255,255,0)"><br>
                                                          <br>
                                                          <br>
                                                          Begin
                                                          forwarded
                                                          message:<br>
                                                          <br>
                                                          </span></div>
                                                          <blockquote type="cite"><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><b>From:</b> Michael
                                                          Coates <<a>michael.coates@owasp.org</a>><br>
                                                          <b>Date:</b> October
                                                          5, 2015 at
                                                          6:20:23 PM PDT<br>
                                                          <b>To:</b> <a>owasp-benchmark-project@lists.owasp.org</a><br>
                                                          <b>Subject:</b> <b>Project
                                                          Questions</b><br>
                                                          <br>
                                                          </span></font></blockquote>
                                                          <blockquote type="cite">
                                                          <div dir="ltr"><font color="#000000"><span style="background-color:rgba(255,255,255,0)">OWASP
                                                          Benchmark
                                                          List,</span></font>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">I've heard more about this
                                                          project and am
                                                          excited about
                                                          the idea of an
                                                          independent
                                                          perspective of
                                                          tool
                                                          performance.
                                                          I'm trying to
                                                          understand a
                                                          few things to
                                                          better respond
                                                          to questions
                                                          from those in
                                                          the security
                                                          & OWASP
                                                          community.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">In my mind there are two
                                                          big areas for
                                                          consideration
                                                          in a benchmark
                                                          process.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">1. Are the benchmarks
                                                          testing the
                                                          right areas?</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">2. Is the process for
                                                          creating the
                                                          benchmark
                                                          objective
                                                          & free
                                                          from conflicts
                                                          of interest.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">I think as a group OWASP is
                                                          the right body
                                                          to align on
                                                          #1.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">I'd like to ask for some
                                                          clarifications
                                                          on item #2. I
                                                          think it's
                                                          important to
                                                          avoid actual
                                                          conflict of
                                                          interest and
                                                          also the
                                                          appearance of
                                                          conflict of
                                                          interest. The
                                                          former is
                                                          obvious why we
                                                          mustn't have
                                                          that, the
                                                          latter is
                                                          critical so
                                                          others have
                                                          faith in the
                                                          tool, process
                                                          and outputs of
                                                          the process
                                                          when viewing
                                                          or hearing
                                                          about the
                                                          project.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">1) Can we clarify whether
                                                          other
                                                          individuals
                                                          have submitted
                                                          meaningful
                                                          code to the
                                                          project? </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Nearly all the code commits
                                                          have come from
                                                          1 person
                                                          (project
                                                          lead).</span></font></div>
                                                          <div><a href="https://github.com/OWASP/Benchmark/graphs/contributors" style="background-color:rgba(255,255,255,0)" target="_blank"><font color="#000000">https://github.com/OWASP/Benchmark/graphs/contributors</font></a></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">2) Can we clarify the
                                                          contributions
                                                          of others and
                                                          their
                                                          represented
                                                          organizations?</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">The acknowledgements tab
                                                          listed two
                                                          developers
                                                          (Juan Gama
                                                          & Nick
                                                          Sanidas) both
                                                          who work at
                                                          the same
                                                          company as the
                                                          project lead.
                                                          It seems other
                                                          people have
                                                          submitted some
                                                          small amounts
                                                          of material,
                                                          but overall it
                                                          seems all
                                                          development
                                                          has come from
                                                          the same
                                                          company.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><a href="https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements" target="_blank">https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements</a><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">3) Can we clarify in what
                                                          ways we've
                                                          mitigated the
                                                          potential
                                                          conflict of
                                                          interest and
                                                          also the
                                                          appearance of
                                                          a conflict of
                                                          interest? This
                                                          seems like the
                                                          largest
                                                          blocker for
                                                          wide spread
                                                          acceptance of
                                                          this project
                                                          and the
                                                          biggest risk. </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">The project lead and both
                                                          of the project
                                                          developers
                                                          works for a
                                                          company with
                                                          very close
                                                          ties to one of
                                                          the companies
                                                          that is
                                                          evaluated by
                                                          this project.
                                                          Further, it
                                                          appears the
                                                          company is
                                                          performing
                                                          very well on
                                                          the project
                                                          tests. </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">4) If we are going to list
                                                          tool vendors
                                                          then I'd
                                                          recommend
                                                          listing
                                                          multiple
                                                          vendors for
                                                          each
                                                          category. </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">The tools page only lists 1
                                                          IAST tool.
                                                          Since this is
                                                          the point of
                                                          the potential
                                                          conflict of
                                                          interest it is
                                                          important to
                                                          list numerous
                                                          IAST tools.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><a href="https://www.owasp.org/index.php/Benchmark#tab=Tool_Support_2FResults" target="_blank">https://www.owasp.org/index.php/Benchmark#tab=Tool_Support_2FResults</a><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">5) Diverse body with
                                                          multiple
                                                          points of view</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Observation:</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">There is no indication that
                                                          multiple
                                                          stakeholders
                                                          are present to
                                                          review and
                                                          decide on the
                                                          future of this
                                                          project. If
                                                          they exist, a
                                                          new section
                                                          should be
                                                          added to the
                                                          project page
                                                          to raise
                                                          awareness. If
                                                          they don't
                                                          exist, we
                                                          should
                                                          reevaluate how
                                                          we are
                                                          obtaining an
                                                          independent
                                                          view of the
                                                          testing
                                                          process.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Again, I think the idea of
                                                          the project is
                                                          great. From my
                                                          perspective
                                                          clarifying
                                                          these
                                                          questions will
                                                          help ensure
                                                          the project is
                                                          not only
                                                          objective, but
                                                          also perceived
                                                          as objective
                                                          from someone
                                                          reviewing the
                                                          material.
                                                          Ultimately
                                                          this will
                                                          contribute to
                                                          the success
                                                          and growth of
                                                          the project.</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)">Thanks!</span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <span><font color="#888888">
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr"><font color="#000000"><span style="background-color:rgba(255,255,255,0)">--<br>
                                                          Michael Coates</span></font></div>
                                                          <div dir="ltr">
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><font color="#000000"><span style="background-color:rgba(255,255,255,0)"><br>
                                                          </span></font></div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          </blockquote>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          On Oct 2,
                                                          2015, at 1:31
                                                          AM, psiinon
                                                          <<a>psiinon@gmail.com</a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>OK, based
                                                          on the
                                                          concerns
                                                          raised so far
                                                          I think the
                                                          board should
                                                          initiate a
                                                          review of the
                                                          OWASP
                                                          Benchmark
                                                          project.<br>
                                                          </div>
                                                          I'm not
                                                          raising a
                                                          formal
                                                          complaint
                                                          against it,
                                                          I'm just
                                                          requesting a
                                                          review.<br>
                                                          </div>
                                                          And I dont
                                                          think it needs
                                                          a 'standard'
                                                          project review
                                                          - Johanna has
                                                          already done a
                                                          very good job
                                                          of this.<br>
                                                          </div>
                                                          Not sure what
                                                          sort of review
                                                          you'd call it,
                                                          I'll leave the
                                                          naming to
                                                          others :)<br>
                                                          <br>
                                                          </div>
                                                          <div>I'm
                                                          concerned that
                                                          we have an
                                                          OWASP project
                                                          lead by a
                                                          company who
                                                          has a clear
                                                          commercial
                                                          stake in the
                                                          results.<br>
                                                          </div>
                                                          <div>Bringing
                                                          more companies
                                                          on board will
                                                          help, but I'm
                                                          still not sure
                                                          that alone
                                                          will make it
                                                          independent
                                                          enough.<br>
                                                          </div>
                                                          <div>Commercial
                                                          companies can
                                                          afford to
                                                          dedicate staff
                                                          to improving
                                                          Benchmark so
                                                          that their
                                                          products look
                                                          better.<br>
                                                          </div>
                                                          <div>Open
                                                          source
                                                          projects just
                                                          cant do that,
                                                          so we are at a
                                                          distinct
                                                          disadvantage.<br>
                                                          </div>
                                                          <div>Should we
                                                          allow a
                                                          commercially
                                                          driven OWASP
                                                          project who's
                                                          aim could be
                                                          seen be to
                                                          promote
                                                          commercial
                                                          software?<br>
                                                          </div>
                                                          <div>If so,
                                                          what sort of
                                                          checks and
                                                          balances does
                                                          it need?<br>
                                                          </div>
                                                          <div>Those are
                                                          the sort of
                                                          questions I'd
                                                          like an
                                                          independent
                                                          review to look
                                                          at.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I do
                                                          think there
                                                          are some
                                                          immediate
                                                          steps that
                                                          could be
                                                          taken:<br>
                                                          </div>
                                                          <ul>
                                                          <li>I'd like
                                                          to see the
                                                          Benchmark
                                                          project page
                                                          clearly state
                                                          thats its at a
                                                          very early
                                                          stage and that
                                                          the results
                                                          are _not_ yet
                                                          suitable for
                                                          use in
                                                          commercial
                                                          literature.</li>
                                                          <li>I'd also
                                                          like the main
                                                          companies
                                                          developing
                                                          Benchmark to
                                                          be clearly
                                                          stated on the
                                                          main page. If
                                                          and when other
                                                          companies get
                                                          involved then
                                                          this would
                                                          actually help
                                                          the project's
                                                          claim of
                                                          vendor
                                                          independence.</li>
                                                          <li>And I'd
                                                          love to see a
                                                          respected
                                                          co-leader
                                                          added to the
                                                          project who is
                                                          not associated
                                                          with any
                                                          commercial or
                                                          open source
                                                          security
                                                          tools:)</li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>And we
                                                          should carry
                                                          on discussing
                                                          the project on
                                                          this list - I
                                                          think such
                                                          discussions
                                                          are very
                                                          healthy, and
                                                          I'd love to
                                                          see this
                                                          project mature
                                                          to a state
                                                          where it can
                                                          be a trusted,
                                                          independent
                                                          and valued
                                                          resource.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Cheers,<br>
                                                          <br>
                                                          </div>
                                                          <div>Simon<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Thu, Oct 1,
                                                          2015 at 7:59
                                                          PM, Tobias <span dir="ltr"><<a>tobias.gondrom@owasp.org</a>></span> wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div bgcolor="#FFFFFF" text="#000000">
                                                          <div>@Simon: <br>
                                                          yes, the
                                                          leaders list
                                                          is the place
                                                          for your
                                                          discussions
                                                          for project
                                                          and chapter
                                                          leaders<br>
                                                          @Timo: I like
                                                          your framing
                                                          of "Don't ask
                                                          what OWASP can
                                                          do for me, ask
                                                          what I can do
                                                          for OWASP." <br>
                                                          That should
                                                          and is indeed
                                                          the spirit of
                                                          OWASP:-) <br>
                                                          Best regards,
                                                          Tobias
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          <br>
                                                          On 30/09/15
                                                          09:42, Timo
                                                          Goosen wrote:<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <blockquote type="cite">
                                                          <div dir="ltr">I
                                                          don't know
                                                          enough about
                                                          the matter to
                                                          comment on
                                                          this case, but
                                                          I feel that
                                                          any situation
                                                          where an OWASP
                                                          project or any
                                                          OWASP
                                                          initiative for
                                                          that matter,
                                                          is using OWASP
                                                          to promote its
                                                          own business
                                                          interests
                                                          should be
                                                          stopped.  We
                                                          need to get
                                                          rid of bad
                                                          apples in
                                                          OWASP.
                                                          <div><br>
                                                          </div>
                                                          <div>OWASP is
                                                          becoming a
                                                          brand if you
                                                          would like to
                                                          think of it
                                                          that way and
                                                          we are going
                                                          to see many
                                                          more cases of
                                                          people trying
                                                          to use OWASP
                                                          to spread
                                                          their business
                                                          interests. At
                                                          the end of the
                                                          day everyone
                                                          should be
                                                          acting with an
                                                          attitude
                                                          of:"Don't ask
                                                          what OWASP can
                                                          do for me, ask
                                                          what I can do
                                                          for OWASP?"</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Regards.</div>
                                                          <div>Timo</div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Wed, Sep 3</div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></blockquote></div></div></blockquote></div></blockquote></div></div></blockquote></div></div></div></div></blockquote></div></div></div></div></blockquote></div></div></blockquote></div></blockquote></div></div></div></blockquote></div></blockquote></div></div></div></blockquote></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></div></blockquote></div></div></blockquote></div></div><br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br>...</blockquote></div>
</blockquote></div><br></div>