[Owasp-leaders] Listing commercial products in OWASP projects
pavol.luptak at nethemba.com
Tue Jan 20 08:33:24 EST 2009
On Mon, Jan 19, 2009 at 01:21:36PM -0500, Jeff Williams wrote:
> I suggest that we should follow the same rule that is in force for Chapter
> meetings. The basic principle is that you can't use OWASP to promote your
> product (outside of an authorized commercial opportunity - like an
> advertisement, conference sponsorship, etc...) Mentions of vendor
> products are allowed on the website, but only in the context of a
> particular problem, and only when a broad survey of the available
> commercial and open-source tools is performed.
It sounds absolutely logical for me.
But what about a new vendor-unbiased, open OWASP project that would compare
various commercial and free penetration tools, scanners (all high-quality
stuff we daily use :-)
Because at the present time (when sometimes it is impossible to obtain from
vendor free/trial version) it is very difficult to compare various penetration
tools and decide which is better in which category....
And because almost all available (opensource + commercial) used tools would be
mentioned in this project, this project should be vendor-unbiased.
We can benchmark these tools against OWASP WebGoat (or create some other
And of course - if this "testing tool comparison/benchmark project" should be
vendor/product unbiased, it should be covered by some unbiased open foundation
(OWASP?) not by a private company.
Juan Carlos also mentioned than vendors are very reluctant to benchmarking
(some EULAs can contain clauses that prohibit you to benchmark some products).
Personally I don't know any "non-comparable" security tool, but if they really
exist, we simply would not involve these tools in the final
benchmark/comparison (personally I would never buy a product that could not
be compared with the other one :-)
Remember, our original OWASP mission is "to have more secure web applications
in the world", so we can use this "open benchmark project" to support/promote
_ALL_ high-quality tools (and in this case it doesn't matter if they are
commercial or not).
I think that everybody would appreciate this project :-)
What do you think ? Is it compliant with OWASP rules?
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090120/98e236c6/attachment.bin
More information about the OWASP-Leaders