[Owasp-leaders] Naming of 'OWASP' tools

Nikola Milosevic nikola.milosevic at owasp.org
Fri Dec 4 14:38:30 UTC 2015


Current policy is that all project do have OWASP prefix and I think it is
good and it is common practice around open source community. All Apache,
Mozilla, etc. projects do have the name of the foundations as prefix if I
am correct. And they are basically branding foundation, because these
communities without projects are almost nothing. I would like to believe,
however, as a project leader, I might be bias, that OWASP without projects
does not make too much sense.

People can meet on local level, promote app security, but I think what
gathers the people are projects (documentations or code, does not matter).
OWASP brand can help project get up and grow in a first place and when the
projects grow enough they will help OWASP to attract more people, funds,
and promote itself by other means. So I think there are mutual interest for
projects to be branded. I can understand that sometimes conflicts of
interest or low quality of projects could damage the brand, but it is
manageable risk, with respect of the benefits both could gain.

Second point I will make is that if project is not OWASP branded, I will
see not much interest for any project being anyhow affiliated with OWASP,
since project don't have too much benefit from it (financially or in any
other respect). Brand opens quite a few doors, attracts people to it and so
on, especially for small projects and without it, someone will have to make
me a different value proposition how to compensate it.

Pozdrav/Best regards,

Nikola Milošević
OWASP Seraphimdroid project leader
nikola.milosevic at owasp.org
OWASP - Open Web Application Security Project
<https://www.owasp.org/index.php/Main_Page>
OWASP Seraphimdroid Project
<https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>

On Fri, Dec 4, 2015 at 1:51 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> That is less of a problem if all OWASP projects are seen as research
> projects
>
> Then the dropping of the Owasp part of the name could be part of the
> project's maturity and evolution
>
> And btw, I don't expect that projects that evolve beyond Owasp to have no
> ties (and cross links) with Owasp
>
> Even in the scenario where ZAP has its own website and non-owasp name, I
> would still expect the Owasp home page (and projects page) to link to ZAP
> Foundation's website
> On 4 Dec 2015 11:47 am, "Munir Njiru" <munir.njiru at owasp.org> wrote:
>
>> Personally I don't see a conflict within this. Look at it this way for
>> new entrant projects tagged with the prefix OWASP on tools , this enables
>> someone see what new projects are on OWASP frankly most people get them via
>> google not via the project inventory list pars'e, Plus it would be easy to
>> distinguish what is truly under the OWASP umbrella versus what isn't
>> especially when it comes to opensource tools that attempt to accomplish the
>> same.
>>
>> Lets use ZAP as an example at incubator stage when no one knows what
>> tools are free to test based on OWASP top 10 they'd google it and get the
>> link to it from the OWASP titles someone would then identify the project.
>> If ZAP for instance exits OWASP and moved to for instance ZAP foundation
>> people would still look for it as OWASP ZAP , however while it has a new
>> home *"a simple line such as ZAP formally known as OWASP ZAP....." *would
>> suffice in explaining the change. This also ensures that people can follow
>> up on its roots which is ideally a good thing.
>>
>> My 2 cents.
>>
>> Munir Njenga,
>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>> Developer
>> Mob   (KE) +254 (0) 734960670
>>
>> =============================
>> Chapter Page: www.owasp.org/index.php/Kenya
>> Email: munir.njiru at owasp.org
>> Facebook: https://www.facebook.com/OWASP.Kenya
>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>
>>
>> On Fri, Dec 4, 2015 at 1:18 PM, psiinon <psiinon at gmail.com> wrote:
>>
>>> A couple of people have pointed out on other threads that tools shouldnt
>>> really call themselves "OWASP XYZ Project" as (in most cases) the tools are
>>> not actually owned by OWASP.
>>> Documentation projects are another matter, so I'm not talking about
>>> those here.
>>>
>>> And I'm definitely one of the offenders, although in my defence I
>>> thought renaming ZAP to "OWASP ZAP" was actually acceptable and even
>>> expected ;)
>>>
>>> I think its worth us discussing this subject, regardless of what route
>>> we take with ZAP in the future.
>>>
>>> Should tools (code projects?) use "OWASP" in their name?
>>> And I'm not talking about the rules here - the rules can be amended to
>>> whatever we, the OWASP community, think are appropriate.
>>>
>>> Should we recommend (and maybe at some point in the future require)
>>> projects to use phrases like:
>>>
>>> Name: Zed Attack Proxy (ZAP)
>>> ZAP is an OWASP Flagship project
>>>
>>> I'm sure lots of people will carry on referring to "OWASP ZAP" whatever
>>> we do but changing the 'official' project names and documentation is still
>>> a good start (in my opinion).
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151204/8b3b3c2b/attachment-0001.html>


More information about the OWASP-Leaders mailing list