[Owasp-leaders] Listing commercial products in OWASP projects
jeff.williams at owasp.org
Mon Jan 19 13:21:36 EST 2009
I suggest that we should follow the same rule that is in force for Chapter
meetings. The basic principle is that you can't use OWASP to promote your
product (outside of an authorized commercial opportunity - like an
advertisement, conference sponsorship, etc...) Mentions of vendor products
are allowed on the website, but only in the context of a particular problem,
and only when a broad survey of the available commercial and open-source
tools is performed.
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
Sent: Monday, January 19, 2009 12:41 PM
To: OWASP Leaders
Cc: dvstein at gmail.com
Subject: [Owasp-leaders] Listing commercial products in OWASP projects
Over on the Testing Guide mailing list, we're having a discussion about
whether it is appropriate to list or mention commercial testing tools. The
question is whether simply mentioning a commercial product in an OWASP
project would be considered endorsing it.
There was a suggestion to simply list the name of the commercial product and
a link to the vendor - nothing else. Then when it comes to open source
tools we could have free reign and comment on their pro's and cons. But
even this could be considered an endorsement of the commercial tools.
How have other projects dealt with this problem - and what is OWASPs
Begin forwarded message:
From: Dave van Stein <dvstein at gmail.com>
Date: January 18, 2009 1:44:40 PM GMT+01:00
To: Pavol Luptak <pavol.luptak at nethemba.com>
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Just few typing errors
I just want to know if this activity is OWASP-compliant - can be classified
as endorsement of commercial products or not (this is purely legal, not
technical question). See http://www.owasp.org/index.php/Main_Page, the
top line: "OWASP does not endorse commercial products or services"
The line between endorsing and just mentioning is rather thin in my opinion.
In order to be as unbiased as possible regarding commercial (or non
open-source for that matter) tools the list should be 100% complete. If even
1 tool is available and not mentioned in the list, that could be explained
as "not worth mentioning according to OWASP". Since managing such a list is
close to impossible in my opinion due to the amount of tools appearing and
disappearing every day, it is very risky to include it.
Personally I think it would be a better idea to create a seperate list
(perhaps even a seperate project) with a good disclaimer and mention a link
to that list in the testing guide as a (limited) source of information. The
main goal of the OWASP testing guide is understanding vulnerabilities and
understanding how to test them, not about automating those tests. Therefor
the independancy of the testing guide should be more important than
providing a complete list with automation tools.
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders