[Owasp-leaders] Commercial use of OWASP products

Dennis Groves dennis.groves at owasp.org
Sun Jan 8 03:24:22 UTC 2012

Hello Juan,

I strongly believe in Liberty. Liberty requires free software (http://www.gnu.org/philosophy/free-sw.html) and free documentation (http://www.gnu.org/philosophy/free-doc.html) (other licenses miss the point (http://www.gnu.org/philosophy/open-source-misses-the-point.html)). Thus, when I started OWASP we published under the GNU Licences (http://www.gnu.org/licenses/). The importance of liberty is more critical that ever. Proposals like SOPA (http://gizmodo.com/5870241/presented-without-comment-every-single-company-supporting-sopa-the-awful-internet-censorship-law) could easily take-away enough liberties that even OWASP could no longer exist!

Ideally people would contribute to OWASP under the GNU Licenses (http://www.gnu.org/licenses/). Thus, I highly encourage people to use the GNU licenses (http://www.gnu.org/licenses/) as appropriate in their projects. This is the license that most guarentees liberty for everybody and thus to do the greatest good.

The O in OWASP is for Open; and the word open does not stand for 'open source' - the word open in OWASP is denotes inclusive. Many security groups when OWASP was founded were exclusive and closed, members only clubs. Some even required fees to participate! Others are virtually secret societies that you can not join unless enough other people 'vouch' for you. Those exclusive groups have done very little if anything to improve the state of security. In contrast, OWASP has an enormous track record of success and impact demonstarting the very power and importance of inclusion. Note that open/inclusion is also transparency by its very nature, since it is open to all.

Therefore, if people are not comfortable with the GNU Licesnes (http://www.gnu.org/licenses/) for whatever reason, I would prefer that people join and contribute to OWASP in whatever way is comfortable with their beliefs after all we are open to people who do not share our values - this is not an exclusive club! Once they experience the amazing energy and people of OWASP, I hope they will come to share our beliefs in liberty and understand why other liceneses miss the point (http://www.gnu.org/philosophy/open-source-misses-the-point.html), and then they can then choose the appropriate GNU license (http://www.gnu.org/licenses/) at that time.



Dennis Groves (http://about.me/dennis.groves), MSc
dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)

On Sunday, 8 January 2012 at 01:02, Juan calderon wrote:

> Notice that not all OWASP projects are GPL, some are BSD licenced (like ESAPI) and other projects are under different open source licences.
> BDS is commercial friendly, so you can take ESAPI and create your own secure components implementation without any source code dislosure requirements. 
> I would encourage those that ask you to give a check on the licences of the project of their interest to see what they can do with it and what limitations they might face.
> Regards, 
> Juan Carlos
> On Fri, Jan 6, 2012 at 8:49 AM, webgoat webgoat <webgoat at owasp.org (mailto:webgoat at owasp.org)> wrote:
> > 
> > All
> > 
> > What is the policy for the use of OWASP products in commercial solutions. Over the years I've been asked by many people if they could use WebGoat in training environments, most of these have been for in-house training at companies or use by educators in the class room. Recently, I was asked if it was OK to use WebGoat in a commercial training solution and what the fee for the use of WebGoat is. I view this situation as slightly different than other requests and want to ensure I provide the proper OWASP guidance on this. Thoughts?
> > 
> > -- 
> > Bruce Mayhew
> > OWASP WebGoat Project Lead
> > 
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list