[Owasp-leaders] OWASP Top 10/ Aspect Security Top 10
Steven van der Baan
steven.van.der.baan at owasp.org
Sun Jun 2 21:21:09 UTC 2013
On 02/06/2013 20:23, Dennis Groves wrote:
> On 2 Jun 2013, at 11:28, Steven van der Baan wrote:
>> Hi All,
>> After all the discussions on the list about the Top 10 and the
>> involvement of Aspect Security I expected that it would stay more quite
>> and relaxed until the final release of the OWASP top 10. Unfortunately
>> the next posting was released - also via the OWASP Moderated New Feed:
>> http://www.bankinfosecurity.com/blogs/owasp-top-ten-2013-p-1465 in which
>> Jeff Williams is telling about the new - 'and improved' Top 10 (even
>> when it still is listed as release candidate and OWASP as an
>> organization hasn't officially released it).
> So are you implying that it is an 'abuse of trust' for me to talk
> about the 'upcoming features of AppSensor.' I don't follow your
> reasoning about why this is a problem?
> Jeff is **the project leader** and has an obligation and duty to raise
> interest in the next version of the OWASP Top 10!
> Can you share with me your view of a project leaders role and duties?
>> When reading this blog post I got a negative feeling around it all. It
>> appears to me that OWASP has lost the Top 10 as a project, and that it
>> has become a marketing tool of Aspect Security (like the WhiteHat top
>> 10, or Sans top 25). As far as I remember we pride ourselves in that our
>> projects are vendor neutral, but considering how this project is going
>> I sincerely doubt that it's the case with this particular project
>> (although I do hope that either Jeff or Dave have serious proof to
>> convince me otherwise).
> There is nothing about Aspect in the article; save Jeff's author bio.
> It talks about OWASP exclusively. This is nothing but good press for
> Without vendors, OWASP will cease to be relevant, what we do is
> created by and consumed by companies.
> Can you explain to me and the others, your vision of how vendors and
> companies would interact with OWASP? Maybe we can work on getting
> those ideas into our policy documents?
>> And as such I am curious what the board is planning to do about this
>> abuse of trust. Because their reaction to this will definitely set a
>> president for other companies to take ownership of projects and use them
>> as marketing tools.
If you will talk about these upcoming features solely as a member of
OWASP, no problem at all. I would even support it and retweet/post it as
well. As long as the company/organization you are working for is not
prominently involved, and this is my main issue regarding the top 10.
This is where Dave - as the project leader - and Jeff as a huge
contributor of the Top 10 are blurring the line for me. This is not the
first article on the Top 10 in which Aspect Security is mentioned as the
source for the article and if I start to notice that, others will as
well. Let me get this straight, I do appreciate all the work they have
done on the awareness of the risks and the creation of the top 10. But
in the end the reward of fame should go towards OWASP as an
organization, not the company you -per chance- work for. That in my eyes
will keep OWASP neutral in their recommendations and other works.
The danger I see is that other companies can start 'claiming' projects
when that project leader works for them and use that project as a
marketing tool. OWASP projects should not be affiliated to a particular
company, no matter how much that company donates towards OWASP. They may
be credited as a supporter, but that's where - for me - it should stop.
I had this problem with my current employer regarding the CTF project,
but I negotiated that I only have to state that an CTF event is made
possible by them and not created by them as they accept my time at those
events as being 'on the clock'. It is a thin line here, but I believe
that we have to make this really clear otherwise OWASP may loose it's
reputation as being vendor neutral.
More information about the OWASP-Leaders