[Owasp-leaders] Naming of 'OWASP' tools

Liam Smit liam.smit at gmail.com
Fri Dec 4 14:49:59 UTC 2015


On Fri, Dec 4, 2015 at 4:38 PM, Nikola Milosevic
<nikola.milosevic at owasp.org> wrote:
> Current policy is that all project do have OWASP prefix and I think it is
> good and it is common practice around open source community. All Apache,
> Mozilla, etc. projects do have the name of the foundations as prefix if I am
> correct. And they are basically branding foundation, because these
> communities without projects are almost nothing. I would like to believe,
> however, as a project leader, I might be bias, that OWASP without projects
> does not make too much sense.
> People can meet on local level, promote app security, but I think what
> gathers the people are projects (documentations or code, does not matter).
> OWASP brand can help project get up and grow in a first place and when the
> projects grow enough they will help OWASP to attract more people, funds, and
> promote itself by other means. So I think there are mutual interest for
> projects to be branded. I can understand that sometimes conflicts of
> interest or low quality of projects could damage the brand, but it is
> manageable risk, with respect of the benefits both could gain.
> Second point I will make is that if project is not OWASP branded, I will see
> not much interest for any project being anyhow affiliated with OWASP, since
> project don't have too much benefit from it (financially or in any other
> respect). Brand opens quite a few doors, attracts people to it and so on,
> especially for small projects and without it, someone will have to make me a
> different value proposition how to compensate it.
> Pozdrav/Best regards,
> Nikola Milošević
> OWASP Seraphimdroid project leader
> nikola.milosevic at owasp.org
> OWASP - Open Web Application Security Project
> OWASP Seraphimdroid Project
> On Fri, Dec 4, 2015 at 1:51 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> That is less of a problem if all OWASP projects are seen as research
>> projects
>> Then the dropping of the Owasp part of the name could be part of the
>> project's maturity and evolution
>> And btw, I don't expect that projects that evolve beyond Owasp to have no
>> ties (and cross links) with Owasp
>> Even in the scenario where ZAP has its own website and non-owasp name, I
>> would still expect the Owasp home page (and projects page) to link to ZAP
>> Foundation's website
>> On 4 Dec 2015 11:47 am, "Munir Njiru" <munir.njiru at owasp.org> wrote:
>>> Personally I don't see a conflict within this. Look at it this way for
>>> new entrant projects tagged with the prefix OWASP on tools , this enables
>>> someone see what new projects are on OWASP frankly most people get them via
>>> google not via the project inventory list pars'e, Plus it would be easy to
>>> distinguish what is truly under the OWASP umbrella versus what isn't
>>> especially when it comes to opensource tools that attempt to accomplish the
>>> same.
>>> Lets use ZAP as an example at incubator stage when no one knows what
>>> tools are free to test based on OWASP top 10 they'd google it and get the
>>> link to it from the OWASP titles someone would then identify the project. If
>>> ZAP for instance exits OWASP and moved to for instance ZAP foundation people
>>> would still look for it as OWASP ZAP , however while it has a new home "a
>>> simple line such as ZAP formally known as OWASP ZAP....." would suffice in
>>> explaining the change. This also ensures that people can follow up on its
>>> roots which is ideally a good thing.
>>> My 2 cents.
>>> Munir Njenga,
>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>> Developer
>>> Mob   (KE) +254 (0) 734960670
>>> =============================
>>> Chapter Page: www.owasp.org/index.php/Kenya
>>> Email: munir.njiru at owasp.org
>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>> On Fri, Dec 4, 2015 at 1:18 PM, psiinon <psiinon at gmail.com> wrote:
>>>> A couple of people have pointed out on other threads that tools shouldnt
>>>> really call themselves "OWASP XYZ Project" as (in most cases) the tools are
>>>> not actually owned by OWASP.
>>>> Documentation projects are another matter, so I'm not talking about
>>>> those here.
>>>> And I'm definitely one of the offenders, although in my defence I
>>>> thought renaming ZAP to "OWASP ZAP" was actually acceptable and even
>>>> expected ;)
>>>> I think its worth us discussing this subject, regardless of what route
>>>> we take with ZAP in the future.
>>>> Should tools (code projects?) use "OWASP" in their name?
>>>> And I'm not talking about the rules here - the rules can be amended to
>>>> whatever we, the OWASP community, think are appropriate.
>>>> Should we recommend (and maybe at some point in the future require)
>>>> projects to use phrases like:
>>>> Name: Zed Attack Proxy (ZAP)
>>>> ZAP is an OWASP Flagship project
>>>> I'm sure lots of people will carry on referring to "OWASP ZAP" whatever
>>>> we do but changing the 'official' project names and documentation is still a
>>>> good start (in my opinion).
>>>> Cheers,
>>>> Simon
>>>> --
>>>> OWASP ZAP Project leader
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list