[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Jim Manico jim.manico at owasp.org
Tue Feb 26 01:51:15 UTC 2013


WebGoat is actively being maintained by Bruce Mayhew at a different
company. 5.4 was released recently.

I believe that you and Dave are in a clear conflict-of-interest situation
around the OWASP top ten since you own an AppSec firm. We should probably
move to a consensus approach and have more folks as the final decision
makers for the OWASP Top Ten content like we do at the the Top Ten Mobile
project.

--
Jim Manico
@Manicode
(808) 652-3805

On Feb 25, 2013, at 2:31 PM, Jeff Williams <jeff.williams at owasp.org> wrote:

Hi,

It's not fair to retroactively change the terms of the agreement under
which we agreed to donate WebGoat, Top Ten, and others.  There were
excellent reasons for OWASP to actively recruit projects from organizations
and part of that agreement was to allow corporate branding.  Some may think
that that those justifications have changed.  Personally I do not.

To me, the best future for OWASP (the one where we start to achieve our
mission) is the one where all the players in the entire ecosystem --
commercial and non-commercial alike -- can interact.  I believe that OWASP
can provide the platform for that ecosystem to grow and thrive. IMHO,
engaging with commercial entities and getting them to share their
intellectual property in a free and open way as Aspect has done is the only
viable route to achieving our mission.

But whether OWASP decides to attract future commercially sponsored projects
or not, and I definitely hope they do, changing the deal now isn't right.

--Jeff



On Thu, Feb 21, 2013 at 4:29 AM, psiinon <psiinon at gmail.com> wrote:

> I think that there should only be OWASP and/or or the project logos on the
> 'front' and 'main' pages of a project.
> So for a documentation one then that really would be the front page, and
> for tools that would be the first and most commonly used screens.
> I dont have a problem with reasonably sized Corporate logos on a Sponsors
> or Supporters page.
> So as it happens I'm fine with the Aspect logo on the new Top 10 RC,
> although I cant comment on whether other logos should be there as well.
> And the previous WebGoat would fail this test, but could pass if the logo
> was moved onto a separate Sponsors page.
> But I'm uncomfortable with the idea of sponsors of the cheat sheets - they
> are all 'front' page and so should be sponsor free.
>
> I think the key thing is whether someone new to the project would be
> confused as to whether this was an OWASP project, a Company XYZ project or
> a joint project. It should be obvious that its the first of these.
>
> So yes, I think spelling out these sort of things is worthwhile, but its
> the spirit of the thing thats important as theres always the possibility of
> someone trying to subvert that while keeping to the 'letter of the law'.
>
> Cheers,
>
> Simon
>
>
> On Thu, Feb 21, 2013 at 9:11 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I like this idea and will suggest to Samantha that we codify it as a
>> project rule moving forward.
>>
>> 1) So for WebGoat (as an example), this would mean we would remove the
>> current logos in the next version and replace it with a link to the wiki
>> sponsor page for WebGoat. I like this, reasonable?
>>
>>  2) What about content? Should we allow corporate logos on "release"
>> versions of content like the different dev/testing guides, top ten or the
>> cheat sheets?
>>
>> I know this is a bit pedantic, but I'd like to set a clear policy here so
>> we are all playing with the same project rules. Your opinions all matter.
>>
>> Thanks all,
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Feb 21, 2013, at 5:43 PM, psiinon <psiinon at gmail.com> wrote:
>>
>> We do exactly that for ZAP:
>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Sponsors
>>
>> So +1 from me
>>
>> On Wed, Feb 20, 2013 at 2:21 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
>>
>>> I mentioned the same thing to Jim yesterday.  One idea is to add a TAB to
>>> the default project template pages for "Project Sponsors" like this -
>>>
>>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
>>> oject#Project_Sponsors<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#Project_Sponsors>
>>>
>>>
>>> -Ryan
>>>
>>> On 2/20/13 2:40 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>
>>> >> I would suggest having a dedicated page in the wiki that list project
>>> >>sponsors instead of having logos everywhere.
>>> >
>>> >This is the kind of compromise over vendor-neutrality that I can get
>>> >behind.
>>> >
>>> >I am not at all anti-vendor, I just want our community - especially
>>> >leaders - to respect ethical boundaries that were set by the founders
>>> >years ago.
>>> >
>>> >We have conferences with vendor showcases, that is not going to stop. We
>>> >have "networking" events where vendors are allowed to participate. We
>>> >have wonderful corporate sponsors who we place on our website. These are
>>> >all reasonable OWASP/vendor relations.
>>> >
>>> >The devil is in the detail, and I agree we need to work on better "use
>>> >and abuse" cases to make these boundaries a lot more clear to the
>>> >community.
>>> >
>>> >Respectfully,
>>> >--
>>> >Jim O'Manic
>>> >@Manicode
>>> >
>>> >
>>> >
>>> >On 2/19/13 2:03 PM, Amro wrote:
>>> >> I would suggest having a dedicated page in the wiki that list project
>>> >>sponsors instead of having logos everywhere.
>>> >>
>>> >> My 2 cents.
>>> >> Sent from BlackBerry®. Excuse typo's and brevity.
>>> >>
>>> >> -----Original Message-----
>>> >> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>> >> Sender: owasp-leaders-bounces at lists.owasp.org
>>> >> Date: Tue, 19 Feb 2013 22:31:29
>>> >> To: psiinon<psiinon at gmail.com>
>>> >> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>> >> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now
>>> >>      Available
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >
>>> >
>>> >> I would suggest having a dedicated page in the wiki that list project
>>> >>sponsors instead of having logos everywhere.
>>> >>
>>> >> My 2 cents.
>>> >> Sent from BlackBerry®. Excuse typo's and brevity.
>>> >>
>>> >> -----Original Message-----
>>> >> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>> >> Sender: owasp-leaders-bounces at lists.owasp.org
>>> >> Date: Tue, 19 Feb 2013 22:31:29
>>> >> To: psiinon<psiinon at gmail.com>
>>> >> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>> >> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now
>>> >>      Available
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >
>>> >_______________________________________________
>>> >OWASP-Leaders mailing list
>>> >OWASP-Leaders at lists.owasp.org
>>> >https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130225/b92fd74d/attachment.html>


More information about the OWASP-Leaders mailing list