[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Andre Gironda andreg at gmail.com
Tue Feb 26 02:02:24 UTC 2013


Jim,

While I do adore Jeff Williams, Dave Wichers, and the entire Aspect
Security team -- I do enjoy and agree with what you're initially proposing
here as well.

To be honest, I'm not sure if the Mobile T10 is any better -- it seems that
WhiteHat Security and HP are vying for the title to its content.

The T10 projects are really non-scientific and biased studies to begin
with. Maybe we should get rid of them entirely, or merge them into a new
project?



On Mon, Feb 25, 2013 at 6:51 PM, Jim Manico <jim.manico at owasp.org> wrote:

> WebGoat is actively being maintained by Bruce Mayhew at a different
> company. 5.4 was released recently.
>
> I believe that you and Dave are in a clear conflict-of-interest situation
> around the OWASP top ten since you own an AppSec firm. We should probably
> move to a consensus approach and have more folks as the final decision
> makers for the OWASP Top Ten content like we do at the the Top Ten Mobile
> project.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Feb 25, 2013, at 2:31 PM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
>
> Hi,
>
> It's not fair to retroactively change the terms of the agreement under
> which we agreed to donate WebGoat, Top Ten, and others.  There were
> excellent reasons for OWASP to actively recruit projects from organizations
> and part of that agreement was to allow corporate branding.  Some may think
> that that those justifications have changed.  Personally I do not.
>
> To me, the best future for OWASP (the one where we start to achieve our
> mission) is the one where all the players in the entire ecosystem --
> commercial and non-commercial alike -- can interact.  I believe that OWASP
> can provide the platform for that ecosystem to grow and thrive. IMHO,
> engaging with commercial entities and getting them to share their
> intellectual property in a free and open way as Aspect has done is the only
> viable route to achieving our mission.
>
> But whether OWASP decides to attract future commercially sponsored
> projects or not, and I definitely hope they do, changing the deal now isn't
> right.
>
> --Jeff
>
>
>
> On Thu, Feb 21, 2013 at 4:29 AM, psiinon <psiinon at gmail.com> wrote:
>
>> I think that there should only be OWASP and/or or the project logos on
>> the 'front' and 'main' pages of a project.
>> So for a documentation one then that really would be the front page, and
>> for tools that would be the first and most commonly used screens.
>> I dont have a problem with reasonably sized Corporate logos on a Sponsors
>> or Supporters page.
>> So as it happens I'm fine with the Aspect logo on the new Top 10 RC,
>> although I cant comment on whether other logos should be there as well.
>> And the previous WebGoat would fail this test, but could pass if the logo
>> was moved onto a separate Sponsors page.
>> But I'm uncomfortable with the idea of sponsors of the cheat sheets -
>> they are all 'front' page and so should be sponsor free.
>>
>> I think the key thing is whether someone new to the project would be
>> confused as to whether this was an OWASP project, a Company XYZ project or
>> a joint project. It should be obvious that its the first of these.
>>
>> So yes, I think spelling out these sort of things is worthwhile, but its
>> the spirit of the thing thats important as theres always the possibility of
>> someone trying to subvert that while keeping to the 'letter of the law'.
>>
>> Cheers,
>>
>> Simon
>>
>>
>> On Thu, Feb 21, 2013 at 9:11 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I like this idea and will suggest to Samantha that we codify it as a
>>> project rule moving forward.
>>>
>>> 1) So for WebGoat (as an example), this would mean we would remove the
>>> current logos in the next version and replace it with a link to the wiki
>>> sponsor page for WebGoat. I like this, reasonable?
>>>
>>>  2) What about content? Should we allow corporate logos on "release"
>>> versions of content like the different dev/testing guides, top ten or the
>>> cheat sheets?
>>>
>>> I know this is a bit pedantic, but I'd like to set a clear policy here
>>> so we are all playing with the same project rules. Your opinions all matter.
>>>
>>> Thanks all,
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Feb 21, 2013, at 5:43 PM, psiinon <psiinon at gmail.com> wrote:
>>>
>>> We do exactly that for ZAP:
>>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Sponsors
>>>
>>> So +1 from me
>>>
>>> On Wed, Feb 20, 2013 at 2:21 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
>>>
>>>> I mentioned the same thing to Jim yesterday.  One idea is to add a TAB
>>>> to
>>>> the default project template pages for "Project Sponsors" like this -
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
>>>> oject#Project_Sponsors<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#Project_Sponsors>
>>>>
>>>>
>>>> -Ryan
>>>>
>>>> On 2/20/13 2:40 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>
>>>> >> I would suggest having a dedicated page in the wiki that list project
>>>> >>sponsors instead of having logos everywhere.
>>>> >
>>>> >This is the kind of compromise over vendor-neutrality that I can get
>>>> >behind.
>>>> >
>>>> >I am not at all anti-vendor, I just want our community - especially
>>>> >leaders - to respect ethical boundaries that were set by the founders
>>>> >years ago.
>>>> >
>>>> >We have conferences with vendor showcases, that is not going to stop.
>>>> We
>>>> >have "networking" events where vendors are allowed to participate. We
>>>> >have wonderful corporate sponsors who we place on our website. These
>>>> are
>>>> >all reasonable OWASP/vendor relations.
>>>> >
>>>> >The devil is in the detail, and I agree we need to work on better "use
>>>> >and abuse" cases to make these boundaries a lot more clear to the
>>>> >community.
>>>> >
>>>> >Respectfully,
>>>> >--
>>>> >Jim O'Manic
>>>> >@Manicode
>>>> >
>>>> >
>>>> >
>>>> >On 2/19/13 2:03 PM, Amro wrote:
>>>> >> I would suggest having a dedicated page in the wiki that list project
>>>> >>sponsors instead of having logos everywhere.
>>>> >>
>>>> >> My 2 cents.
>>>> >> Sent from BlackBerry®. Excuse typo's and brevity.
>>>> >>
>>>> >> -----Original Message-----
>>>> >> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>>> >> Sender: owasp-leaders-bounces at lists.owasp.org
>>>> >> Date: Tue, 19 Feb 2013 22:31:29
>>>> >> To: psiinon<psiinon at gmail.com>
>>>> >> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>>> >> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
>>>> Now
>>>> >>      Available
>>>> >>
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >>
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >>
>>>> >
>>>> >
>>>> >> I would suggest having a dedicated page in the wiki that list project
>>>> >>sponsors instead of having logos everywhere.
>>>> >>
>>>> >> My 2 cents.
>>>> >> Sent from BlackBerry®. Excuse typo's and brevity.
>>>> >>
>>>> >> -----Original Message-----
>>>> >> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>>> >> Sender: owasp-leaders-bounces at lists.owasp.org
>>>> >> Date: Tue, 19 Feb 2013 22:31:29
>>>> >> To: psiinon<psiinon at gmail.com>
>>>> >> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>>> >> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
>>>> Now
>>>> >>      Available
>>>> >>
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >>
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >>
>>>> >
>>>> >_______________________________________________
>>>> >OWASP-Leaders mailing list
>>>> >OWASP-Leaders at lists.owasp.org
>>>> >https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130225/0fdec2db/attachment.html>


More information about the OWASP-Leaders mailing list