[Owasp-leaders] Listing commercial products in OWASP projects

Stephen de Vries stephen at twisteddelight.org
Mon Jan 19 12:41:29 EST 2009


Over on the Testing Guide mailing list, we're having a discussion  
about whether it is appropriate to list or mention commercial testing  
tools.  The question is whether simply mentioning a commercial product  
in an OWASP project would be considered endorsing it.
There was a suggestion to simply list the name of the commercial  
product and a link to the vendor - nothing else.  Then when it comes  
to open source tools we could have free reign and comment on their  
pro's and cons.   But even this could be considered an endorsement of  
the commercial tools.
How have other projects dealt with this problem - and what is OWASPs  
official stance?

Stephen


Begin forwarded message:

> From: Dave van Stein <dvstein at gmail.com>
> Date: January 18, 2009 1:44:40 PM GMT+01:00
> To: Pavol Luptak <pavol.luptak at nethemba.com>
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Just few typing errors
>
> I just want to know if this activity is OWASP-compliant - can be  
> classified
> as endorsement of commercial products or not (this is purely legal,  
> not
> technical question). See http://www.owasp.org/index.php/Main_Page,  
> the second
> top line: "OWASP does not endorse commercial products or services"
>
> The line between endorsing and just mentioning is rather thin in my  
> opinion. In order to be as unbiased as possible regarding commercial  
> (or non open-source for that matter) tools the list should be 100%  
> complete. If even 1 tool is available and not mentioned in the list,  
> that could be explained as "not worth mentioning according to  
> OWASP". Since managing such a list is close to impossible in my  
> opinion due to the amount of tools appearing and disappearing every  
> day, it is very risky to include it.
>
> Personally I think it would be a better idea to create a seperate  
> list (perhaps even a seperate project) with a good disclaimer and  
> mention a link to that list in the testing guide as a (limited)  
> source of information. The main goal of the OWASP testing guide is  
> understanding vulnerabilities and understanding how to test them,  
> not about automating those tests. Therefor the independancy of the  
> testing guide should be more important than providing a complete  
> list with automation tools.
>
> regards, Dave
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090119/91a7fd45/attachment.html 


More information about the OWASP-Leaders mailing list