[Owasp-leaders] For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project

Jeff Williams jeff.williams at owasp.org
Thu Aug 18 17:49:36 EDT 2011


Dinis,

 

Congrats on the move.  As you know, I'm concerned about commercial companies
releasing 'crippled' versions of their tool at OWASP as an advertisement to
buy the full version.  I think the current SI pages and app as released
right now are over this line.  The product looks like an OWASP project, but
is hosted on an SI domain and clearly advertises a commercial product.  I
believe this is misleading.

 

I understand and appreciate that you are trying to find a model for
commercial entities and OWASP to work together.  However, OWASP's reputation
depends on our independence and objectivity.  You have been the most staunch
defender of this in the past. 

 

I want OWASP to engage with commercial entities.  Particularly when multiple
commercial entities all have the same need and want to collaborate through
OWASP.  And I agree that we need to define some rules around this kind of
commercial-OWASP partnership.  In fact that's what I tried to do with John
in the OWASP Partnership Model
<https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei
2xHA/edit?hl=en_US&authkey=CKycuTY&pli=1> .  I'm not as sure about how to
engage with security product vendors.

 

But I don't believe that either TeamMentor or Exams are real OWASP projects.
To my knowledge there has been no effort to create a real project with
mailing lists, wiki pages, community participation, and *most importantly*
an open source repository of the code.  The TeamMentor code isn't even open
source.  Are there any other committers or participants?   The recent
changes (now deleted) to Wikipedia's OWASP article marketing the project are
particularly concerning.

 

If the model is that the *content* is to be an OWASP maintained project,
while the *tool* to use the content is to be an SI commercial product, then
forget it.  I won't spend my energy maintaining it.  And I don't think OWASP
should encourage this.  If there's CC content on the OWASP wiki that SI
wants to use in their product (with respect to the license) then great.

 

One model that does work is to actually open source the tool and then
provide commercial support.

 

--Jeff

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Thursday, August 18, 2011 1:53 PM
To: 'dinis cruz'; owasp-leaders at lists.owasp.org
Cc: 'Maureen Robinson'; 'Tom Bain'
Subject: Re: [Owasp-leaders] For comment: OWASP references on SI's Press
Release, Commercial Support of an OWASP project

 

Regarding the proposed Press Release, I don't see anything in it that I
would consider abusing the OWASP brand.

 

Regarding OWASP O2 commercial services, I think if your website includes the
points you have listed below, that this is an SI service, and NOT an OWASP
provided or endorsed service, then that's the main points to get across. And
these points need to be clear and obvious, not buried in the fine print.
Others may think of other things to mention, and documenting them in some
kind of OWASP Code of Conduct page for how to represent commercial support
around OWASP projects is a good idea, because I'm sure we will learn things
and we can update this page with both expected behavior, and also list
'examples' of behavior that we don't like (potentially taken from real world
abuse cases, but sanitized to not reflect the real original offender).

 

My initial thoughts anyway.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Thursday, August 18, 2011 1:26 PM
To: owasp-leaders at lists.owasp.org
Cc: Maureen Robinson; Tom Bain
Subject: [Owasp-leaders] For comment: OWASP references on SI's Press
Release, Commercial Support of an OWASP project

 

As some of might have noticed, I recently joined SI (Security  Innovation)
as an Employee (for more details on why I did it, see this personal blog
entry
http://diniscruz.blogspot.com/2011/08/joining-security-innovation-si-as.html
)

 

Due to the power of the OWASP brand, SI's marketing department wants to
issue a Press Release (PR) with this bit of news. This has happen a number
of times before for other OWASP leaders and products, and sometimes the fine
line of 'marketing' and abusing the OWASP brand (or overstating particular
facts) gets crossed. For example, SI did issue a Press Release a couple
months ago that could had benefited from some OWASP peer review :).

 

Part of what I want to do at SI, is to create frame-of-references/examples
for how commercial companies should behave around OWASP, and SI (so far) has
tried very hard to play by OWASP rules (even when they don't exist or are
not explicitly defined). Not to say that they haven't made mistakes in the
past, but they are trying hard.

 

So, the first part of this email is a question to you: "Is the PR included
at the end of this email OK?'   Please be brutal in your feedback and if you
fell changes should be made, please let us know (I'm CCing Tom and Maureen
from SI marketing department, so if relevant, please include them on your
replies (the cut-of-point is next Monday at 12pm EST, with a publishing date
of Tuesday)). I made some changes to the original version, but remember that
this is a Press Release :)

 

The 2nd question on this email is related to the fact that SI is going to
offer (i.e. sell) commercial Support for an OWASP project, in this case the
OWASP O2 Platform. 

 

The original focus is going to be on using O2 to customise existing AppSec
tools in order to make them 'Framework Aware', and on the automation of
AppSec security reviews (i.e. delivering of security findings as unit tests
for developers). Btw, I'm still hurting from the fact that SI (due to market
demand) wants to build training content on ESAPI and not on O2  :)

 

The question is: "How can this type of services be represented at OWASP's
website and to OWASP's community?" 

 

For example what disclaimers should be make to make sure this is not
perceived as an 'OWASP provided service'. Maybe we should create a Code of
Conduct book for these cases?

 

I believe this to be a really good development for OWASP, and I do wish that
other companies provided commercial support/services on OWASP projects, for
example: WebGoat, ESAPI, ASVS, WebScarab/Zap, Top 10, Legal, Encoding
libraries, Testing/Code/Developer guides, Cheat-Sheets, etc...

 

Of course that since OWASP projects are all licensed with an OpenSource or
CC license, it will not be possible for ONE company to be the ONLY provider
of theses services. Ideally we should have multiple companies providing
these commercial services (each with its own unique positioning, strengths
and offerings). It would then be a case of the market deciding on which one
they want to reward with their businesses.

 

These are unchartered territories, but the good news is that finally (with
SI's officially supporting O2) we have a real world scenario to deal with
(in the past we spent too much time theorising about the multiple
hypothetical scenarios and abuses)

 

The best way to get things done at OWASP is to try new ideas, see how they
go, listen to the feedback received, and improve on the next version.

 

So me and SI are kickstarting this, and hopefully others will follow.

 

(note: there is already an OWASP project that was going to try to get
happen, but it had no energy, maybe now is the time to restart it)

 

Dinis Cruz

 

(below is the full text of the PR that will be published next Tuesday)

 

 

Security Innovation Announces the Hiring of Web Application Security Expert
Dinis Cruz as

Principal Security Engineer

 

Wilmington, Mass., August 22, 2011 -  <http://securityinnovation.com/>
Security Innovation,a leading organization specializing in application
security products and services, has announced that it has hired Dinis Cruz
as Principal Security Engineer. This strategic appointment supports Security
Innovation's goal, which is to provide its customers with solutions designed
to help protect their most coveted assets through securely developing
applications.

 

Cruz will serve as a lead architect and visionary, driving the design and
evolution of the company's knowledgebase repository product, TeamMentor
Enterprise Edition. Cruz will be responsible for re-architect the solution
to better serve security and development  teams, with a particular focus on
integration with other products, frameworks, and automatedassessment
activities. He'll also continue to lead the company'sstrategic initiatives
with the open-source community.

 

"Dinis has been a part of our extended team, working on product development
projects over the last several months. Now that he is officially joining us
as an employee, we're excited to have him fully engaged, enhancing our
unique portfolio of application security-specific products and services,"
said Jason Taylor, chief technology officer, Security Innovation. "We are
focused on adding respected application security experts to our staff to
enable our customers to build the most secure applications in the world."

 

Cruz brings extensive Web application security experience to his role with
Security Innovation. Previously, Cruz served as Director of Advanced
Technology with Ounce Labs and specialized in code reviews, penetration
testing,  <http://ASP.NET/> ASP.NETapplication security and security
engineering. As an active OWASP leader and contributor, Cruz has been
rewriting the Open Source OWASP O2 Platform. He served as an OWASP Board
Member (2005 to 2011) and has lead important initiatives like the OWASP
Seasons of Code, OWASP Summits (2008 and 2011), OWASP books, and a number of
OWASP .NET projects. As the main developer of OWASP O2 Platform, Cruz's
vision is to automate application security knowledge and he has designed O2
to be an industry standard for data-sharing between WebAppSec tools,
consultants and final users. He is also a regular industry speaker, having
delivered technical presentations and training at numerous OWASP conferences
and BlackHat.

 

Cruz will also work closely with SI's Application Security services team
delivering  <http://www.securityinnovation.com/services/> software and SDLC
assessments and help to create Security Innovation supported versions of the
OWASP O2 Platform, Specifically, this effort is designed to integrate and
consolidate the data created by tools or services like IBM Rational AppScan,
Veracode, WhiteHat, Microsoft CAT.NET, OWASP Zap Proxy, Burp Proxy, HP
Fortify and other open source tools to make them 'Framework Aware' and
connect them with existing SDLC tools and processes.

 

"What started as writing some code for TeamMentor a few months ago, turned
into a longer-term project that really allowed me to get a feeling for what
it's like to work with Security Innovation," said Cruz. "I was impressed by
the company's application security knowledge and there was an obvious
synergy between us. We believe in the same best practices and methodologies
for architecting secure software and making that knowledge broadly
available." he added.

Cruz is an active blogger. His views on joining Security Innovation and
other security-related topics can be found on the
<http://diniscruz.blogspot.com/> Dinis Cruz Blog and on
<http://web.securityinnovation.com/blog/> Security Innovation's Application
and Cyber Security blog.

 

About Security Innovation
Security Innovation is an established leader in the application security and
cryptography space. For over a decade the company has provided products,
training and consulting services to help organizations build and deploy more
secure systems and improve the process by which their applications are
built. 
Security Innovation built upon its core competencies in application security
with the acquisition of NTRUCryptoSystems in 2009, a company that developed
proprietary, standardized algorithms. This resulted in the strongest and
fastest public key cryptography available and the means to overcome
historical performance barriers that have plagued the encryption industry.
With these core strengths intact, Security Innovation is in a position to
help organizations protect their data at two critical points: while
applications are accessing it and during transmission. The company's
flagship products include
<http://www.securityinnovation.com/products/elearning/courses.shtml>
TeamProfessor, the industry's largest library of application eLearning
courses, and
<http://www.securityinnovation.com/products/team-mentor/index.shtml>
TeamMentor, a web-based secure development methodologies product. 

Security Innovation is privately held and is headquartered in Wilmington, MA
USA.
Note to Editors: Security Innovation, NTRUEncrypt,TeamMentor, TeamProfessor
and the Security Innovation logo are trademarks of Security Innovation. All
other brand names may be trademarks of their respective owners. 

Contacts
Maureen Robinson
Security Innovation 
(978) 694-1008 X21
 <mailto:mrobinson at securityinnovation.com> mrobinson at securityinnovation.com

April Corso
Lois Paul & Partners 
(781) 782-5831
 <mailto:april_corso at lpp.com> april_corso at lpp.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110818/8520d25c/attachment-0001.html 


More information about the OWASP-Leaders mailing list