[Owasp-leaders] Listing commercial products in OWASP projects

Dave Wichers dave.wichers at owasp.org
Wed Jan 21 17:38:32 EST 2009

There is precedent for OWASP mentioning commercial tools as I have done so




and here: http://www.owasp.org/index.php/Web_Application_Firewall


For what it's worth, I think it's OK to mention such tools if you include
the appropriate disclaimer, as helping to make people aware of options that
are available to them is a reasonable goal.


Or maybe, for your purposes, you could just refer to these pages, but we
don't have a page for application penetration testing tools I don't think.




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
Sent: Monday, January 19, 2009 12:41 PM
To: OWASP Leaders
Cc: dvstein at gmail.com
Subject: [Owasp-leaders] Listing commercial products in OWASP projects



Over on the Testing Guide mailing list, we're having a discussion about
whether it is appropriate to list or mention commercial testing tools.  The
question is whether simply mentioning a commercial product in an OWASP
project would be considered endorsing it.  

There was a suggestion to simply list the name of the commercial product and
a link to the vendor - nothing else.  Then when it comes to open source
tools we could have free reign and comment on their pro's and cons.   But
even this could be considered an endorsement of the commercial tools.

How have other projects dealt with this problem - and what is OWASPs
official stance?





Begin forwarded message:

From: Dave van Stein <dvstein at gmail.com>

Date: January 18, 2009 1:44:40 PM GMT+01:00

To: Pavol Luptak <pavol.luptak at nethemba.com>

Cc: owasp-testing at lists.owasp.org

Subject: Re: [Owasp-testing] Just few typing errors


I just want to know if this activity is OWASP-compliant - can be classified
as endorsement of commercial products or not (this is purely legal, not
technical question). See http://www.owasp.org/index.php/Main_Page, the
top line: "OWASP does not endorse commercial products or services"

The line between endorsing and just mentioning is rather thin in my opinion.
In order to be as unbiased as possible regarding commercial (or non
open-source for that matter) tools the list should be 100% complete. If even
1 tool is available and not mentioned in the list, that could be explained
as "not worth mentioning according to OWASP". Since managing such a list is
close to impossible in my opinion due to the amount of tools appearing and
disappearing every day, it is very risky to include it. 

Personally I think it would be a better idea to create a seperate list
(perhaps even a seperate project) with a good disclaimer and mention a link
to that list in the testing guide as a (limited) source of information. The
main goal of the OWASP testing guide is understanding vulnerabilities and
understanding how to test them, not about automating those tests. Therefor
the independancy of the testing guide should be more important than
providing a complete list with automation tools. 

regards, Dave

Owasp-testing mailing list
Owasp-testing at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090121/297c7dc1/attachment.html 

More information about the OWASP-Leaders mailing list