[Owasp-leaders] OWASP Top 10/ Aspect Security Top 10

Tony UV tonyuv at owasp.org
Mon Jun 3 17:01:21 UTC 2013


Dennis is spot on on this - this popular banking site and news piece really
touts OWASP and the OWASP Top 10 more than anything.  As a reader, I don't
walk away with a feeling that Aspect is doing a shameless plug or that they
fathered the OWASP Top 10.  I think that Jeff's efforts are what we all
need to focus on in lieu of this ongoing conspiracy thread of
self-promotion for certain firms. I've spoken to several leaders and
although our vigilance around OWASP brand misuse should always be present,
it shouldn't overwhelm our focus of promoting the org and its content.

If we focused our energies in resolving the global marketing problem that
we have versus the lesser problem of OWASP name abuse, we may get to a
point where abuse of the brand is actually harmful.  I think all can agree
that the abuse of a poorly marketed brand (in general) is really negligent
b/c no one would care anyway.  Relating this back to OWASP, its not as well
known as we really think. For those that find this to be heretical to
OWASP, then take a look at the downloads page for the OWASP Top 10 over the
past 10 years and ask yourself if that is adequate volume for a flagship
product over the life of the org.   Also consider perhaps doing a personal
discovery project of simply going to a non-security conference with
non-security cliques/ groupies and engaging IT professionals, business
people leveraging web technologies, web developers, etc to see if OWASP
resonates in their discussions, SDLC, etc.  You'll find that the majority
of your interactions will have no idea of what you're talking about,
although materially interested in the subject.  Devoid of any formal survey
which I've recommended in the past, we can't really quantify or even
qualify the awareness level of OWASP, its mission, its products so this is
all circumstantial and biased based upon corporate interactions in spotted
global regional outlets.

Its important to keep in mind that the views and thoughts we hold to our
own content are vastly different from that of our customers.  This notion
is completely lost in a lot of our discussions b/c we think OWASP is really
that well known when its really not. I think content such as the one that
was on BankInfoSecurity.com is sorely needed and other examples need to
continuously imitate.  I also think that once we increase the awareness
level of what OWASP is and the products its developed over the years, then
the abuse cases will be far more material and relevant. I'm not saying that
we don't address them now, but in all truthfulness, brand misrepresentation
is really immaterial if the general public (beyond the security cliques,
self-crowned security demi-gods, divas, and groupies) don't know who you
are or what you're talking about.

Tony UV

On Sun, Jun 2, 2013 at 5:21 PM, Steven van der Baan <
steven.van.der.baan at owasp.org> wrote:

> On 02/06/2013 20:23, Dennis Groves wrote:
> > On 2 Jun 2013, at 11:28, Steven van der Baan wrote:
> >
> >> Hi All,
> >>
> >> After all the discussions on the list about the Top 10 and the
> >> involvement of Aspect Security I expected that it would stay more quite
> >> and relaxed until the final release of the OWASP top 10. Unfortunately
> >> the next posting was released - also via the OWASP Moderated New Feed:
> >> http://www.bankinfosecurity.com/blogs/owasp-top-ten-2013-p-1465 in
> which
> >> Jeff Williams is telling about the new - 'and improved'  Top 10 (even
> >> when it still is listed as release candidate and OWASP as an
> >> organization hasn't officially released it).
> >
> > So are you implying that it is an 'abuse of trust' for me to talk
> > about the 'upcoming features of AppSensor.'  I don't follow your
> > reasoning about why this is a problem?
> >
> > Jeff is **the project leader** and has an obligation and duty to raise
> > interest in the next version of the OWASP Top 10!
> >
> > Can you share with me your view of a project leaders role and duties?
> >
> >> When reading this blog post I got a negative feeling around it all. It
> >> appears to me that OWASP has lost the Top 10 as a project, and that it
> >> has become a marketing tool of Aspect Security (like the WhiteHat top
> >> 10, or Sans top 25). As far as I remember we pride ourselves in that our
> >> projects are vendor neutral, but considering how  this project is going
> >> I sincerely doubt that it's the case with this particular project
> >> (although I do hope that either Jeff or Dave have serious proof to
> >> convince me otherwise).
> >
> > There is nothing about Aspect in the article; save Jeff's author bio.
> > It talks about OWASP exclusively. This is nothing but good press for
> > OWASP.
> >
> > Without vendors, OWASP will cease to be relevant, what we do is
> > created by and consumed by companies.
> >
> > Can you explain to me and the others, your vision of how vendors and
> > companies would interact with OWASP? Maybe we can work on getting
> > those ideas into our policy documents?
> >
> >> And as such I am curious what the board is planning to do about this
> >> abuse of trust. Because their reaction to this will definitely set a
> >> president for other companies to take ownership of projects and use them
> >> as marketing tools.
> >
> >
> > Dennis
> >
> Hi Dennis,
> If you will talk about these upcoming features solely as a member of
> OWASP, no problem at all. I would even support it and retweet/post it as
> well. As long as the company/organization you are working for is not
> prominently involved, and this is my main issue regarding the top 10.
> This is where Dave - as the project leader - and Jeff as a huge
> contributor of the Top 10 are blurring the line for me. This is not the
> first article on the Top 10 in which Aspect Security is mentioned as the
> source for the article and if I start to notice that, others will as
> well.  Let me get this straight, I do appreciate all the work they have
> done on the awareness of the risks and the creation of the top 10. But
> in the end the reward of fame should go towards OWASP as an
> organization, not the company you -per chance- work for. That in my eyes
> will keep OWASP neutral in their recommendations and other works.
> The danger I see is that other companies can start 'claiming' projects
> when that project leader works for them and use that project as a
> marketing tool. OWASP projects should not be affiliated to a particular
> company, no matter how much that company donates towards OWASP. They may
> be credited as a supporter, but that's where - for me - it should stop.
> I had this problem with my current employer regarding the CTF project,
> but I negotiated that I only have to state that an CTF event is made
> possible by them and not created by them as they accept my time at those
> events as being 'on the clock'. It is a thin line here, but I believe
> that we have to make this really clear otherwise OWASP may loose it's
> reputation as being vendor neutral.
> Steven.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130603/18dc7681/attachment.html>

More information about the OWASP-Leaders mailing list