[Owasp-leaders] Branding rules

Dirk Wetter dirk at owasp.org
Thu Nov 13 12:41:58 UTC 2014


Hi folks,

I find it quite important that our branding rules https://owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
are clear. But IMO they are not and for my taste they are way too relaxed.


In detail:

--
3. OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP.
--

Isn't this a conflict with a commercial endorsement? How is an involvement
defined and who defines it? And what is allowed: To put a company logo on the OWASP
web site or an OWASP logo on the companies web site? Or may I as an consultant
and OWASP member put an OWASP logo on my commercial web site -- not that I want to.

Let's say an employee of company A edits the OWASP website and as a consequence puts
an OWASP logo on their website. Pretty good marketing, right? What about companies
who do a bit more than this: are they allowed to do the same?  Or is another company B
allowed to hand out flyers or other materials with an OWASP logo on it?

Here are the circumstances are not clear to me as well as the definitions of "good
standing" and "involvement". And it goes way too far for me.

--
4. The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.

So a commercial pentesting company or a vendor which sells a product (black
box scanner) or a similar SaaS service may use the OWASP logo if they match
the condition of "a complete and detailed methodology"?

That is IMO too much for me too.


--
5. The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, or recommends any particular product or technology.

On one hand that might clarify the points above a bit -- but still leaves room for interpretation.
So, is one allowed to use the OWASP logo or not? I would read this that using an OWASP logo on
a commercial web site suggests that OWASP Foundation supports, advocates, or recommends something
and thus it is not allowed. A sales guy may read this differently.

That appears not clear enough to me. And: I believe we shouldn't allow the usage
of the OWASP logo on commercial web sites at all.


--
6.-8.
The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.
The OWASP Brand must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials other than an OWASP Published Standard.
The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.

Those three actually narrows the usage -- which is in principle not bad -- however OTOH the narrowing
suggests to me that everything else would be allowed.


Am I missing something or is it just me (language problem)?



Cheers, Dirk




-- 
German OWASP Board, (Chair AppSec Research 2013, German OWASP Day 2014)
Send me encrypted mails (Key ID 0xB818C039)



More information about the OWASP-Leaders mailing list