[Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "

Dan Cornell dan at denimgroup.com
Thu Feb 17 18:53:14 EST 2011

I've actually reached out to Mandeep Khera as he is very involved in OWASP



Sent from my iPhone

On Feb 17, 2011, at 3:04 PM, "John Wilander" <john.wilander at owasp.org<mailto:john.wilander at owasp.org>> wrote:

Check the logos on the AppSec USA 2010 page:

Can OWASP keep accepting Cenzic's money if we act on the patent issue? I sense potential hypocrisy.

Why not a diplomatic outreach first? Jeff calling Cenzic's CEO, telling him of the community concern and asking for their view. I'd prefer starting there.

   Regards, John

Sent from my iPad

On 17 feb 2011, at 19:57, Rex Booth <<mailto:rex.booth at owasp.org>rex.booth at owasp.org<mailto:rex.booth at owasp.org>> wrote:

This "issue" is not new.  Patent squatting and similar activities is a prevalent problem throughout the US intellectual property system.  To my knowledge, OWASP has not addresses these problems in the past, so I'm at a loss to understand why we would do so now.

I, as an individual, am personally and professionally irritated by Cenzic's claim - as I'm sure we all are.  But that doesn't mean that OWASP has a play at this point.

You asked if we should wait until they come for us.  In my opinion, that is exactly what we should do.  Because until that point, their actions really have no appreciable impact on our ability to fulfill our mission.  In the meantime, let the battle be waged by the organizations who have a mission to fight these kinds of actions.  Otherwise we risk getting in WAY over our heads and drifting far from our core mission.


On 2/17/2011 1:29 PM, dinis cruz wrote:
The problem with this case is that if OWASP doesn't do anything, that in it self it taking a position (some might argue that it would be equivalent of 'putting the head into the sand and ignoring what is happening')

This is definitely a case where we will be dammed if we do and dammed if we don't (ignoring this will not make the issue go away)

This case goes to the heart of a lot of things at OWASP (including our ability to continue to innovate on the WebApp tools space).

In fact, as some of the recommendations already provided in this small thread clearly show, if there is no clear 'position' and guidelines from OWASP's community, we will actually create a much worse environment.

We need to start start this process from the point of view that we need to listen to both sides of the story, we first need to clarify what are the facts and what is really going on.

We shouldn't start from the premise that Cenzic is wrong, that its products should be boycotted or that the WebAppSec buyers should buy Cenzic's competitors products

Dinis Cruz

On 17 February 2011 18:19, Dan Cornell <<mailto:dan at denimgroup.com><mailto:dan at denimgroup.com>dan at denimgroup.com<mailto:dan at denimgroup.com>> wrote:
> What I would do: 1) Buy NTObjectives' scanner and/or service and
> recommend it to others. 2) cite Cenzic for breach-of-contract of their
> software support & upgrade contracts, if you are a current customer of
> theirs (one cannot reasonably expect a company to be able to upgrade
> their product if they are forcing stifled innovation in a growing and
> needy industry), 3) If you're a Veracode customer, consider trading
> your credits (or budget for the year) to dynamic analysis services
> (which can only stand to help NTObjectives), and 4) If you are an
> attorney, or have a GC at your company, contact NTObjective's legal
> counsel.
> It also appears that one can list prior art on that <http://stop232patent.com> <http://stop232patent.com> stop232patent.com<http://stop232patent.com>
> website, but I have no idea what fits the criteria. Elza? Nikto?
> Phrack magazine's 1998 article on SQL injection? OULU's work on
> PROTOS? <http://Wisc.edu> Wisc.edu<http://Wisc.edu> Bart Miller's 1989 work on fuzz.c? Gary McGraw's 1998
> book on "Software Fault Injection"?

Agreed!  I suppose my point is that these are all decisions/activities that make sense for people or firms to take in their name, not in the OWASP name.  And I think that is a healthier approach versus OWASP holding an ominously-named "Inquiry" into a Supporter organization (or any organization, for that matter).  Now if OWASP wanted to start a "Prior Art" project that might be something...



OWASP-Leaders mailing list
<mailto:OWASP-Leaders at lists.owasp.org><mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

OWASP-Leaders mailing list
<mailto:OWASP-Leaders at lists.owasp.org><mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

OWASP-Leaders mailing list
<mailto:OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110217/00a7a731/attachment-0001.html 

More information about the OWASP-Leaders mailing list