[Owasp-leaders] [Owasp-board] OWASP Benchmark project - potential conflict of interest

Tobias Glemser tobias.glemser at owasp.org
Mon Nov 30 17:27:51 UTC 2015


> At the _very_ least it should flag the project as being 'in dispute' (as Kevin
> suggested) while a more detailed evaluation is performed.
+1 

The conflict is clear scrolling through all those E-Mails, Blogs, etc. Until it's sorted out we need a clarification visible to everyone, the Benchmark projects status is heavily discussed within the Community at the Moment. 

> -----Ursprüngliche Nachricht-----
> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> bounces at lists.owasp.org] Im Auftrag von psiinon
> Gesendet: Montag, 30. November 2015 18:18
> An: Jim Manico
> Cc: OWASP Foundation Board List; owasp-leaders at lists.owasp.org
> Betreff: Re: [Owasp-leaders] [Owasp-board] OWASP Benchmark project -
> potential conflict of interest [ Z1 UNGESICHERT ]
> 
> I'd like to start by saying that I actually _like_ the Benchmark project.
> Myself and other ZAP developers have made some contributions to it, and
> we have used (and will continue to use) it to make ZAP better.
> I think these sort of testing applications are very valuable to all security tools,
> and I'd like to thank Dave and his team for the significant amount of effort
> involved in developing and open sourcing it.
> 
> But I dont think it should be an OWASP project.
> I do not think that a vendor led project can ever objectively evaluate
> competing commercial and open source projects.
> I do not think that just saying 'pull requests welcomed' makes a project
> vendor neutral.
> I do not think that a project as mired in controversy as the Benchmark project
> can ever recover to become truly independent.
> 
> I am very disappointed in the Boards handling of this affair.
> 
> Ideally I'd like Dave to understand how much damage this project has done
> and to withdraw it as an OWASP project, while still maintaining it as a very
> valuable vendor led open source resource.
> 
> Failing that I really hope that the Board comes to its senses and ejects the
> Benchmark project before even more damage is done.
> At the _very_ least it should flag the project as being 'in dispute' (as Kevin
> suggested) while a more detailed evaluation is performed.
> 
> However I'm rapidly loosing loosing faith that the Board will do the right thing
> and protect OWASP's image in the way that they should have already done.
> Members - please make your voices heard before more people and projects
> leave OWASP.
> 
> Simon
> 
> 
> On Sat, Nov 28, 2015 at 5:14 AM, Jim Manico <jim.manico at owasp.org>
> wrote:
> 
> 
> 	WAFEC does not "do vendor assessment"; they define a
> comprehensive standard built by many vendors and let the community use
> that standard to measure tools on their own. Just a FYI, I was involved in the
> early version of this project. (Things may have changed since my
> involvement, I'm sure Tony has more details here)
> 
> 	Johanna's comments on this issue lead me to believe that the
> damage done to both OWASP and DHS is even more destructive that I
> thought. It saddens me to see this level of abuse just to sell product.
> 
> 
> 	--
> 	Jim Manico
> 	Global Board Member
> 	OWASP Foundation
> 	https://www.owasp.org <https://www.owasp.org/>
> 	Join me in Rome for AppSecEU 2016!
> 
> 	On Nov 28, 2015, at 2:40 AM, Josh Sokol <josh.sokol at owasp.org>
> wrote:
> 
> 
> 
> 		One of the ideas that Andrew proposed was actually
> approaching WAFEC to learn more about how they do vendor assessment in
> a neutral way.  It's great to hear that we have a resource here already that
> we can leverage.  I wasn't aware of your affiliation.
> 
> 		~josh
> 
> 		On Nov 27, 2015 2:47 PM, "Tony Turner"
> <tony.turner at owasp.org> wrote:
> 
> 
> 			I sincerely hope so. That's not the impression I got
> from others comments. Personally I haven't used the tool at all, but as I'm
> the project lead for another product evaluation project (WAFEC) I'm very
> sensitive to the need of collaboration with many different vendors. There
> really has to be a very high level (almost paranoid level) transparency with
> how vendors are approached, worked with, how requirements for
> evaluation are defined, and how metrics are derived.
> 
> 			It appears the project team is attempting to address
> these last 2 somewhat but I'd like to see more specifics, and the lack of
> information on how they are addressing vendor communication,
> participation and transparency seems a bit concerning. Lastly, it is my opinion
> that project leadership should not belong to anyone working for or with a
> partnership/ownership stake for any vendor being evaluated. I think this is a
> flawed model and should transition to a vendor neutral party.
> 
> 			On Nov 27, 2015 3:16 PM, "Josh Sokol"
> <josh.sokol at owasp.org> wrote:
> 
> 
> 				I don't know what qualifies as "significant" in
> your mind, but my understanding is that there have been contributions from
> other vendors:
> 
> 
> 	https://www.owasp.org/index.php/Benchmark#tab=Acknowledgem
> ents
> 
> 
> 				Still, Dave would like more, but he can't force
> them to help.
> 
> 
> 				~josh
> 
> 
> 				On Fri, Nov 27, 2015 at 1:45 PM, Tony Turner
> <tony.turner at owasp.org> wrote:
> 
> 
> 					While I can appreciate that they
> started with Contrast, if there hasn't been significant effort to include other
> vendors it's a worthless benchmark. It's easy to state you haven't gotten
> support from other vendors and that's fine, but until you do there's really
> nothing to release. Why was it ever upgraded? Talking about the results
> without an accurate comparative analysis is akin to snake oil.
> 
> 					On Nov 27, 2015 1:49 PM, "Josh Sokol"
> <josh.sokol at owasp.org> wrote:
> 
> 
> 						Thank you for the links to
> those articles.  The first one discusses the strengths and weaknesses of the
> different methods of evaluating for application vulnerabilities.  The section
> on the Benchmark seems wholly appropriate to me.  That seems like an
> excellent description of what the project is designed to do.  I see some
> metrics in there about which tools are more effective on which types of
> vulnerabilities, but I don't see him straight up saying "The OWASP Benchmark
> proves that Contrast is better".  This seems like statements made based on
> some level of testing and research.  Honestly, I don't see any OWASP brand
> abuse in that article.  Whether it's in good taste or not at this stage in the
> project is certainly debatable, but if you look at the brand usage guidelines
> (https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GU
> IDELINES), I don't see any violations.  We need to govern to policy here which
> is why Paul and Noreen are evaluating changes to the guidelines and our
> enforcement policies to make abuse more difficult.
> 
> 
> 						The second article is a
> competing vendor's reaction to the first.  He makes some good points about
> the issues with Benchmark, but he also says that he hopes that it will be
> improved over time, and Dave has committed to that.  What I don't see is the
> vendor saying "...and Veracode has committed resources to help make the
> Benchmark more accurate across all tool sets".  The Benchmark page is pretty
> clear that it does it's best to provide a benchmark without working exactly
> like a real-world application.  Maybe some more disclaimer text about where
> the project is at today would be in order to validate some of Chris' concerns,
> but I hardly see this as "brand abuse" or a reason to demote the project.
> 
> 
> 						Please consider that I have
> spoken with both Dave and Jeff on this topic and read much of the
> discussions around it before formulating my opinion.  I doubt that you have
> done the same so I'm not sure how you can claim that you have researched
> the issues and all parties involved when you haven't even spoken with the
> two people whom you are accusing of impropriety.  I have no bias here.  I am
> simply speaking with the individuals involved, looking at the currently OWASP
> policies and guidelines, and helping to determine our next steps.
> 
> 
> 						~josh
> 
> 
> 						On Fri, Nov 27, 2015 at 12:22
> PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> 
> 							>>While I agree with
> you that there has been some brand abuse, it was abuse by Contrast
> (specifically their marketing department), and not by "these gentlemen" as
> you state.
> 
> 							Really? ..'some brand
> abuse'..this is more than brand abuse
> 
> 
> 
> 							Josh , please read also
> the article written by Jeff
> 
> 	http://www.darkreading.com/vulnerabilities---threats/why-its-
> insane-to-trust-static-analysis/a/d-id/1322274?
> 
> 
> 
> 							And Veracode's
> reaction including others in Twitter
> 
> 	https://www.veracode.com/blog/2015/09/no-one-technology-
> silver-bullet
> 
> 
> 							My strong advice is to
> research the issues and all the parties involved before making statements
> 
> 
> 
> 
> 							On Fri, Nov 27, 2015 at
> 2:07 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> 
> 
> 								Jim,
> 
> 
> 								A concern was
> expressed to the Board and, frankly, I am insulted by you saying that this was
> "brushed under the rug".  The Board delegated Matt to talk with Dave and
> they had a lengthy conversation on the subject.  The Board delegated me to
> talk with Jeff and we had a lengthy conversation on the subject.  If you do
> not trust in our abilities to read people, ask the right questions, and provide
> honest feedback about our conversations, then that's a bigger issue that we
> should take offline.  After our conversations, we took the time to call a
> special two-hour session of the Board in order to discuss this subject (and
> only this subject).  We spoke about all facets of the issue at hand, about the
> challenges and possible solutions, and concluded on some very concrete
> next steps.
> 
> 								While I agree
> with you that there has been some brand abuse, it was abuse by Contrast
> (specifically their marketing department), and not by "these gentlemen" as
> you state.  Unless you can point to some sort of evidence showing that Jeff
> and/or Dave first-hand abused the brand, then I believe that you are
> speaking with your heart instead of with your head.  I appreciate your
> passion, but I label this as conspiracy theory because without evidence to
> support your claims, I cannot accept it as anything other.
> 
> 
> 								~josh
> 
> 
> 								On Fri, Nov 27,
> 2015 at 11:39 AM, Jim Manico <jim.manico at owasp.org> wrote:
> 
> 
> 									Josh,
> 
> 									I stand
> by my comments and perspective, but I'm disheartened that you consider
> my presentation of facts (and the concerns of many active members of our
> community) as a "conspiracy theory".
> 
> 									In my
> experience, these kind of comments border on insults and only cause folks
> to harden their opinions.
> 
> 									Once
> again I feel these gentlemen got away with a kind of brand abuse that is very
> hurtful to the OWASP community but I am at a loss as to how handle or
> prevent these kinds of mishaps - especially when board members like
> yourself seem willing to - from what I see - brush it under the rug.
> 
> 
> 									--
> 									Jim
> Manico
> 									Global
> Board Member
> 									OWASP
> Foundation
> 
> 	https://www.owasp.org <https://www.owasp.org/>
> 									Join me
> in Rome for AppSecEU 2016!
> 
> 									On Nov
> 27, 2015, at 7:23 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> 
> 
> 
> 
> 	Admittedly, this was my gut reaction at first as well.  I began linking all
> of these companies, people, and projects together in my mind (there are
> some loose links there) and painted a big conspiracy picture similar to what
> Jim and Dinis have stated.  But, after speaking directly with Jeff, and hearing
> about the conversation that Dave and Matt had, I've changed my mind.
> 
> 
> 
> 	I think it begins with the project itself.  If you aren't sold on the idea
> of the Benchmark, then you'll never be able to get to the same place.  My
> original line of thinking was that it was just a bar for vendors to compare their
> tools against eachother, but that's a bit myopic.  We are in an industry where
> things evolve very quickly.  As a customer of these tools, I know firsthand
> that something that a tool does today may not be the case a week from now.
> Likewise, new features are being added daily and I need a point-in-time
> metric to be able to gauge continual effectiveness.  Cool, right?  But not a
> game changer.  The game changer part comes when you realize that by
> developing and evolving the tests that go into the Benchmark, we are
> moving the bar higher and higher.  We (OWASP) are effectively setting the
> standard by which these tools will be compared.  A tool that receives a lower
> score on the Benchmark today knows exactly what they need to work on in
> order to pass that test tomorrow and we already have examples of tools that
> have made improvements because of their Benchmark score (Ask Simon
> about ZAP's experience with the Benchmark).  I don't think that anyone can
> argue that the Benchmark project isn't being effective when OWASP's own
> tools are being driven forward as a result of using it.
> 
> 
> 
> 	But, but, but, Dave and Jeff own Aspect and have stock in Contrast
> and Jeff is the Contrast CTO and Contrast got good scores so it's a conspiracy
> right?  Is there some code that allows Contrast to use the Benchmark?
> Absolutely.  Can you really blame Dave for starting his testing on the
> effectiveness of the Benchmark with a tool that he owned and is familiar
> with?  If I were going to start a similar project, there's no question in my mind
> that I would begin my testing with the tools that I have available to me.  That
> said, is there code that allows other tools to use the Benchmark?  Absolutely.
> 
> 
> 
> 	Regarding "Dave has a history of breaching his duty to be vendor
> neutral", while I cannot comment on his past actions, I can judge what we've
> seen recently.  Matt saw a presentation from Dave on the Benchmark at a
> conference in Chicago.  He said that he felt that the message was appropriate
> and while IAST tools were mentioned as receiving higher scores, it wasn't a
> "Contrast is the best" type of message, more of a generality.  I saw a very
> similar (if not the same) talk by Jeff at LASCON 2015 and the message was
> exactly the same.  I watched the talk expecting some sort of impropriety, but
> found none.  So, perhaps Dave has abused some privilege granted to him in
> the past, but what I've seen from him at this point, with respect to the
> Benchmark, has been appropriate.
> 
> 
> 
> 	You have a very good point with respect to the Contrast marketing
> message around the Benchmark.  It's been completely absurd, over the top,
> and, in my personal opinion, intolerable.  In fact, I experienced the same
> thing that you talked about with them at LASCON 2015 where they stood in
> front of the door of the room Jeff was speaking in and scanned attendees as
> they went into the talk.  I agree that these types of aggressive marketing
> tactics cannot be tolerated at OWASP.  In addition, we have seen several
> marketing messages from them effectively implying that OWASP endorses
> Contrast.  Clearly this is not OK.  I've spoken with Jeff about it and we agreed
> that it is not in the Benchmark's best interest to have this aggressive Contrast
> marketing around it at such an early stage.  He has said that he is not
> responsible for Contrast's marketing team, but that he would speak with the
> people who are.  I haven't seen a single message from them since so I'm
> guessing that he's made good on this promise.  While that's an excellent
> start, OWASP's takeaway here should be that we need to do a better job
> with our brand usage guidelines both in terms of the wording and
> enforcement.  There are many other companies out there that use the
> OWASP brand and I think that we agree that selective enforcement against
> Contrast is not the right answer.  Paul and Noreen are actively working on
> this.  Either way, I think that implying that activities from a vendor's
> marketing department means that the project is not objective is not
> inappropriate.  If we feel that the project is not objective, then separate
> measures need to be taken to drive contribution diversity into it.  That I
> absolutely agree with and the message from Dave was that he would love to
> have more contributors to his project.  But, seeing as we cannot force people
> to work on it, this becomes a matter of "put up or shut up".  The same goes
> for the experts that you said reviewed the code.  If they feel that it is
> somehow skewed towards Contrast, they have the power to change that.
> Now, if someone tries to participate and Dave tells them "No thanks", then I
> agree we have a problem, but I don't hear anyone inferring that happened.
> 
> 
> 
> 	Please, let's drop the conspiracy theories and focus on the tangible
> things that we can do to help an OWASP project to be more successful.  Help
> find more participants to drive diversity, update our brand usage guidelines
> to prevent abuse, enforce them widely, etc.  Thank you.
> 
> 
> 
> 	~josh
> 
> 
> 
> 	On Thu, Nov 26, 2015 at 4:24 PM, Jim Manico
> <jim.manico at owasp.org> wrote:
> 
> 
> 
> 	Dinis,
> 
> 
> 	Like a rare celestial moment when all the planets plus Pluto are
> aligned, I just read your email on the future of OWASP projects thinking,
> "Dinis is spot on".
> 
> 
> 	Reflecting on projects I manage or work on...
> 
> 
> 	The Java Encoder and HTML Sanitizer are likely best moved to Apache
> now that they have reached a measure of adoption and maturity. Apache
> would be a much better long term custodian. Perhaps the same for
> AppSensor, but not my project - just thinking out loud.
> 
> 
> 	Other similar defensive projects are still being noodled on, so OWASP
> is a decent home for these research efforts.
> 
> 
> 	The whole tools category is also something to consider. Dependency
> Check and of course ZAP are some of the best projects that OWASP offers,
> are they best served where they are today? Both have rich communities of
> developers but I don't see the foundation doing much to support these
> efforts.
> 
> 
> 	ASVS has the opportunity to effect massive change, I would to love
> to see major investment and volunteer activity here. Pro tech writer,
> detailed discourses on each individual requirement, etc. If I was king (and I
> am not, at all) I would invest in ASVS on a 6 figure scale. (And who started
> ASVS? Jeff, Dave and Boberski, hat tip to such a marvelous idea). Or maybe
> moving ASVS to the W3C or IETF would help it grow?
> 
> 
> 	The Proactive Controls was a pet project but as we approach 2.0 we
> have several active/awesome volunteers working on it. We will be making
> the doc "world editable" to make contributions easy. OWASP seems like a
> good home for such an awareness doc. Same with T10, especially if
> community edits are welcome.
> 
> 
> 	Anyhow, I'm with you on this Dinis. Once a project starts to reach
> production quality, spinning off the project as an external project or moving
> it to a different foundation where managing production software or formal
> standards is their thing seems realistic.
> 
> 
> 	I don't have all the answers here, but your email certainly resonated
> with me.
> 
> 
> 	Aloha,
> 
> 	--
> 
> 	Jim Manico
> 
> 	Global Board Member
> 
> 	OWASP Foundation
> 
> 	https://www.owasp.org <https://www.owasp.org/>
> 
> 	Join me in Rome for AppSecEU 2016!
> 
> 
> 	On Nov 26, 2015, at 11:26 PM, Dinis Cruz <dinis.cruz at owasp.org>
> wrote:
> 
> 
> 
> 
> 
> 
> 		Jim's reading of this situation is exactly my view on the value
> of the Contrast tool and how it has been 'pushing' the rules of engagement
> to an very 'fuzzy' moral/ethical/commercial limit :)
> 
> 
> 		As per my last email, a key problem here is the 'perceived
> expectation' of what is an OWASP project, and how it should be consumed.
> 
> 
> 		If you look at the OWASP benchmark as a research project,
> then the only way it could be making the kind of claims it makes (and have
> credibility) is if it had evolved from OWASP, with its own (diverse) community
> 
> 
> 		On 26 November 2015 at 21:01, Jim Manico
> <jim.manico at owasp.org> wrote:
> 
> 
> 
> 
> 			I have a different take on this situation but my
> opinion is the "minority opinion". I will respect the rest of the boards take on
> this, but here is how I see it.
> 
> 
> 			First of all, Jeff has stated that he feels I am attacking
> him personally from a past personal grudge, and frankly I do not fault him for
> that perspective since we definitely have history with conflict. So it's fair to
> take my opinion on this with a grain of salt.
> 
> 
> 			I look at this situation from the perspective of a
> forensic investigator.
> 
> 
> 			1) The Benchmark project had Contrast hooks and
> only Contrast hooks in it when I reviewed it so this leads me to believe that
> the project was clearly built with Contrast in mind from the ground up, at
> least in some way.
> 
> 			3) Dave has a history of breaching his duty to be
> vendor neutral. He was gifted with a keynote in South Korea a few years ago,
> and used that opportunity to discuss and pitch Contrast, on stage, during a
> keynote - with Contrast specific slides. This is just supporting evidence of his
> intention at OWASP to push Contrast in ways that I think are against the
> intentions and goals of our foundation.
> 
> 			3) Other experts have reviewed the project and felt
> that many of the tests were very slanted and almost contrived to support
> Contrast. I can drag those folks into this conversation, but I do not think that
> would help in any way. So it's fair to call this point heresy.
> 
> 			4) I do not see this project as revolutionary, at all.
> Every vendor has their own test suite tuned for their tool. As the benchmark
> stands today, I see it as just another vendors product-specific benchmark.
> Mass collaboration from many vendors is not just a "nice to have" but a base
> requirement to get even close to useful for objective tool measurement.
> 
> 			5) Jeff stating that his Marketing people went over
> the line is also an admission that - well, they went over the line. By the same
> token Jeff was in his booth at AppSec USA surrounded by benchmark
> marketing material, discussing this to prospects and he even asked me and
> Mr Coates to wade into this debate and support Dave. So to say he was not
> involved and it was only his marketing people seems a stretch at best.
> 
> 			6) The Contrast marketing team was wandering
> around the conference zapping folks to get leads, and I asked them to stay in
> their booth, which is standard conference policy. These folks know better
> but are again going over the line to sell product at OWASP. There is a better
> way (like focusing on product capability and language support, have
> consistent + stellar customer service, have a humble and gracious attitude to
> all prospects and customers, actively participate in OWASP in a vendor
> neutral and community supportive way, etc).
> 
> 
> 			Please note, I think Contrast is a decent tool, I've
> offered to resell in the past, and I have recommended it in certain situations -
> even after this situation arose. I'm stating this out of honestly and desire to
> put my cards on the table. I truly want Jeff and Dave to be successful. They
> have dedicated their lives to AppSec and if anyone should win big-time, I
> hope it's them. I even told Jeff I hope he hits the mother load and donates a
> little back to OWASP.
> 
> 
> 			However, my instinct and evidence tell me that they
> both went over the line in the use of the OWASP brand to sell product.
> 
> 
> 			Now, Jeff makes a good point. We as a board and
> staff are very poor at enforcing brand management policy and it's not fair to
> single out Contrast, when many other vendors violate the brand, IMO. Just
> google OWASP and watch the ads fly that use the OWASP name to sell
> product.
> 
> 
> 			Also, any and every request that was made of Dave to
> adjust the project for the sake of vendor neutrality was taken very seriously.
> Regardless of Daves past intentions, he is clearly trying to do the right thing
> moving forward.
> 
> 
> 			I look to "postels principle" in this situation (this is
> otherwise known as the "robustness principle" and dates back to the
> creation of TCP) . This is paraphrased as, "Be liberal in what you take from
> others but be conservative in what you dish out". So I think it's critical that
> OWASP and any OWASP resource present itself in a strict vendor neutral
> way. But unless OWASP wants to be much more "even" in the enforcement
> of brand policy across the board to all violators, we should be fairly lax in the
> enforcement of these issues from the outside world.
> 
> 
> 			I am trying to be objective here. My trigonometry
> teacher once told me "I'd fail my mother" when I asked him if he would ever
> fail me (I was an A student). If my mother owned a security company and
> tried the same stunt, I'd have the same opinions about her actions as well.
> 
> 
> 			So what next? Well hello from the other side. I'm
> going back to listening to Adele's new album where I can sit in my deep
> feelings and reflect upon what the OWASP foundation has done to enrich my
> life. I would much rather keep out of this (and any other conflict laden
> situation at OWASP), but I feel it's my responsibility to speak up.
> 
> 
> 			Aloha,
> 
> 
> 
> 			--
> 
> 			Jim Manico
> 
> 			Global Board Member
> 
> 			OWASP Foundation
> 
> 			https://www.owasp.org <https://www.owasp.org/>
> 
> 			Join me in Rome for AppSecEU 2016!
> 
> 
> 			On Nov 26, 2015, at 9:09 PM, Josh Sokol
> <josh.sokol at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 				I would be happy to provide an update.
> 
> 
> 
> 
> 				*	Matt Konda and Dave Wichers, the
> Benchmark Project Leader, had a conversation a few weeks back.  To
> summarize their conversation, Dave acknowledges the currently lack of
> diversity in his project and it is his sincere desire to drive more people to it to
> help.  He also acknowledges the issues with Contrast's extreme marketing
> around the project and feels that it is in everyone's best interests for them to
> curb it back.  While he does have an ownership stake in Contrast, he works at
> Aspect and has no control over the marketing messages that they are putting
> out there.  From the Board perspective, there has been no evidence of any
> impropriety on Dave's part and it should be our goal to drive more diversity
> into the project to support Dave.  Dave appears to be sincere in his desires to
> create a tool where OWASP can tell vendors what we expect from their
> tools.  If the main issue is that only members of Aspect are working on it,
> then the best thing that we can do is try to get him some outside assistance.
> We are also asking that the project be opened up to commits via Git so that
> outsiders can push commits to it.
> 
> 
> 
> 				*	Josh Sokol and Jeff Williams, the CTO
> of Contrast, had a conversation a few weeks back.  To summarize their
> conversation, Jeff believes that the work that Dave is doing on the
> Benchmark is a game changer in that it gives OWASP the power in dictating
> what these tools need to be finding.  He wants the Benchmark to be
> successful and understands that it needs to be diverse in order to be trusted.
> He recognizes that Dave is trying to do that and does not want the marketing
> message from Contrast to interfere with his efforts.  Jeff felt that the "Lab"
> status granted to Benchmark meant that it was ready for mainstream
> adoption, that it had 21k tests, and was almost a year old, and didn't see
> anything wrong with marketing their results, but has agreed to talk to their
> marketing team to get them to lay off that message for now.  From the Board
> perspective, we have come to the realization that our brand usage guidelines
> need an overhaul to clarify what is and is not allowed.  We have made a few
> proposals and have reached out to Mozilla to gain more insight on their
> guidelines and even ask for assistance.  Noreen and Paul are taking lead on
> these efforts.
> 
> 				*	There is a note in the notes that the
> Board was supposed to follow up with an open letter to the community and
> companies involved describing our review and actions.  I don't think that has
> happened so I will remind the person who took on that action item.
> 
> 
> 				I'm happy to answer any questions that you
> may have.
> 
> 
> 
> 
> 
> 				~josh
> 
> 
> 
> 
> 				On Thu, Nov 26, 2015 at 11:55 AM, Tobias
> <tobias.gondrom at owasp.org> wrote:
> 
> 
> 
> 
> 					There have been several
> conversations on that matter and a dedicated call. Unfortunately for personal
> reasons I could not attend the last call as it was at 04:00am my local time, but
> all other board members did participate.
> 
> 
> 
> 					Could please one of my fellow board
> members give an update.
> 
> 
> 
> 					Best, Tobias
> 
> 
> 
> 
> 
> 
> 
> 					On 26/11/15 18:04, Timo Goosen
> wrote:
> 
> 
> 
> 
> 						I would also like to know the
> answer to Simon's question. We need to get rid of bad apples in OWASP in
> my opinion, there are too many people just using the OWASP "name" or
> "brand" to improve their own financial situation or career.
> 
> 
> 						Regards.
> 
> 						Timo
> 
> 
> 						On Thu, Nov 26, 2015 at 1:13
> PM, psiinon <psiinon at gmail.com> wrote:
> 
> 
> 
> 
> 							Paul, and the rest of
> the board,
> 
> 
> 
> 
> 
> 							Its been over 2 months
> since I raised this issue.
> 
> 
> 
> 							Whats happening?
> 
> 
> 
> 							Has the board even
> discussed it?
> 
> 
> 
> 
> 
> 							Cheers,
> 
> 
> 
> 
> 
> 							Simon
> 
> 
> 
> 
> 
> 							On Tue, Oct 20, 2015 at
> 10:00 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
> 
> 
> 
> 
> 								Eoin, Johanna,
> All:
> 
> 
> 								In an earlier
> email, Josh Sokol mentioned that he will be speaking in the next day or 2 to
> their CTO, while at LASCON, as a representative of the OWASP Board.
> Following that feedback, the Board has action to take the next steps.
> 
> 
> 								Just an FYI that
> all comments are recognized and action is being taken.
> 
> 
> 								Paul
> 
> 
> 
> 
> 								Best Regards,
> Paul Ritchie
> 
> 								OWASP
> Executive Director
> 
> 
> 	paul.ritchie at owasp.org
> 
> 
> 
> 								On Tue, Oct 20,
> 2015 at 1:54 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> 
> 
> 
> 									Time
> for owasp to do a public statement and put a clear story regarding this
> abusive behavior of Owasp brand
> 
> 
> 
> 									On
> Tuesday, October 20, 2015, Eoin Keary <eoin.keary at owasp.org> wrote:
> 
> 
> 
> 
> 
> 	Folks,
> 
> 
> 
> 	The project should be immediately shelved it's simply bad form.
> 
> 
> 
> 	This is damaging to OWASP, the industry and exactly what OWASP is
> not about.
> 
> 
> 
> 	There is a clear conflict of interest and distinct lack of science behind
> the claims made by Contrast.
> 
> 
> 
> 
> 
> 
> 
> 
> 	Eoin Keary
> 
> 
> 	OWASP Volunteer
> 
> 
> 	@eoinkeary
> 
> 
> 
> 
> 
> 
> 
> 
> 	On 7 Oct 2015, at 3:53 p.m., johanna curiel curiel
> <johanna.curiel at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 
> 	At the moment we did the project review, we observed that the
> project did not have enough testing to be considered in any form as 'ready'
> for benchmarking, neither that it had yet the community adoption, however
> technically speaking as it has been classified by the leaders, the project is at
> the beta stage.
> 
> 
> 
> 	Indeed , Dave had the push to have the project reviewed but it was
> never clear that later on the project was going to be advertisied this way.
> That all happend after the presentation at Appsec.
> 
> 
> 
> 	I had my concerns regarding how sensitive is the subject of the
> project ,but I think we should allow project leaders to develop their
> communication strategy even if this has conflict of interest. It all depends
> how they behave and how they manage this.
> 
> 
> 
> 
> 	On Tuesday, October 6, 2015, Michael Coates
> <michael.coates at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 		It's not really that formal to add to the agenda, just a wiki that
> we add in the text.
> 
> 
> 
> 		I think you can safely assume it will get the appropriate
> discussion.
> 
> 
> 
> 		On Oct 6, 2015, at 7:16 AM, psiinon <psiinon at gmail.com>
> wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 			Really?? Its not on the agenda yet for the next
> meeting??
> 
> 
> 			How does it get added to the agenda?
> 
> 
> 
> 
> 
> 			And that was a formal request if that makes any
> difference :)
> 
> 
> 
> 
> 
> 			I'm all in favour of getting the facts straight before any
> actions are taken, hence my request for an 'ethical review' or whatever it
> should be called.
> 
> 
> 
> 
> 
> 
> 
> 
> 			Cheers,
> 
> 
> 
> 
> 
> 
> 
> 
> 			Simon
> 
> 
> 
> 
> 
> 
> 			On Tue, Oct 6, 2015 at 3:07 PM, Michael Coates
> <michael.coates at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 				First step is to get all of our information
> straight so we're clear on where things are at.
> 
> 
> 
> 				This was not on the board agenda last
> meeting and is also not on the next agenda as of yet (of course it could
> always be added if needed).
> 
> 
> 
> 				We are aware that people have raised
> questions though.   I'm hoping we can get a clear understanding of all the
> facts and then discuss if changes are needed.
> 
> 
> 
> 
> 
> 				On Oct 6, 2015, at 1:52 AM, psiinon
> <psiinon at gmail.com> wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 					Hey Michael,
> 
> 
> 
> 
> 
> 					Is the board going to take any action?
> 
> 
> 
> 
> 
> 					Were there any discussions about this
> controversy in the board meeting at AppSec USA?
> 
> 
> 
> 
> 
> 					If not will it be on the agenda for the
> meeting on October 14th?
> 
> 
> 
> 
> 
> 
> 
> 
> 					Cheers,
> 
> 
> 
> 
> 
> 
> 
> 
> 					Simon
> 
> 
> 
> 
> 
> 
> 
> 					On Tue, Oct 6, 2015 at 8:25 AM,
> Michael Coates <michael.coates at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 						Simon
> 
> 
> 
> 						I posted the below message
> earlier today. At this point my goal is to just gain clarity over the current
> reality and ideally drive to a shared state of success. This message doesn't
> seem to be reflected in the list yet. It could be because my membership
> hasn't been approved or because of mail list delays (I miss Google groups).
> But I think these questions will start the conversation.
> 
> 
> 
> 						(This was just me asking
> questions as a curious Owasp member, not any action on behalf of the
> board)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 						Begin forwarded message:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							From: Michael Coates
> <michael.coates at owasp.org>
> 
> 
> 							Date: October 5, 2015
> at 6:20:23 PM PDT
> 
> 
> 							To: owasp-benchmark-
> project at lists.owasp.org
> 
> 
> 							Subject: Project
> Questions
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							OWASP Benchmark
> List,
> 
> 
> 
> 
> 
> 
> 
> 
> 							I've heard more about
> this project and am excited about the idea of an independent perspective of
> tool performance. I'm trying to understand a few things to better respond to
> questions from those in the security & OWASP community.
> 
> 
> 
> 
> 
> 
> 
> 
> 							In my mind there are
> two big areas for consideration in a benchmark process.
> 
> 
> 							1. Are the benchmarks
> testing the right areas?
> 
> 
> 							2. Is the process for
> creating the benchmark objective & free from conflicts of interest.
> 
> 
> 
> 
> 
> 
> 
> 
> 							I think as a group
> OWASP is the right body to align on #1.
> 
> 
> 
> 
> 
> 
> 
> 
> 							I'd like to ask for some
> clarifications on item #2. I think it's important to avoid actual conflict of
> interest and also the appearance of conflict of interest. The former is obvious
> why we mustn't have that, the latter is critical so others have faith in the tool,
> process and outputs of the process when viewing or hearing about the
> project.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							1) Can we clarify
> whether other individuals have submitted meaningful code to the project?
> 
> 
> 							Observation:
> 
> 
> 							Nearly all the code
> commits have come from 1 person (project lead).
> 
> 
> 
> 	https://github.com/OWASP/Benchmark/graphs/contributors
> <https://github.com/OWASP/Benchmark/graphs/contributors>
> 
> 
> 
> 
> 
> 
> 
> 
> 							2) Can we clarify the
> contributions of others and their represented organizations?
> 
> 
> 							Observation:
> 
> 
> 							The
> acknowledgements tab listed two developers (Juan Gama & Nick Sanidas)
> both who work at the same company as the project lead. It seems other
> people have submitted some small amounts of material, but overall it seems
> all development has come from the same company.
> 
> 
> 
> 	https://www.owasp.org/index.php/Benchmark#tab=Acknowledgem
> ents
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							3) Can we clarify in
> what ways we've mitigated the potential conflict of interest and also the
> appearance of a conflict of interest? This seems like the largest blocker for
> wide spread acceptance of this project and the biggest risk.
> 
> 
> 							Observation:
> 
> 
> 							The project lead and
> both of the project developers works for a company with very close ties to
> one of the companies that is evaluated by this project. Further, it appears
> the company is performing very well on the project tests.
> 
> 
> 
> 
> 
> 
> 
> 
> 							4) If we are going to list
> tool vendors then I'd recommend listing multiple vendors for each category.
> 
> 
> 							Observation:
> 
> 
> 							The tools page only
> lists 1 IAST tool. Since this is the point of the potential conflict of interest it is
> important to list numerous IAST tools.
> 
> 
> 
> 	https://www.owasp.org/index.php/Benchmark#tab=Tool_Support_
> 2FResults
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							5) Diverse body with
> multiple points of view
> 
> 
> 							Observation:
> 
> 
> 							There is no indication
> that multiple stakeholders are present to review and decide on the future of
> this project. If they exist, a new section should be added to the project page
> to raise awareness. If they don't exist, we should reevaluate how we are
> obtaining an independent view of the testing process.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							Again, I think the idea
> of the project is great. From my perspective clarifying these questions will
> help ensure the project is not only objective, but also perceived as objective
> from someone reviewing the material. Ultimately this will contribute to the
> success and growth of the project.
> 
> 
> 
> 
> 
> 
> 
> 
> 							Thanks!
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							--
> 
> 
> 							Michael Coates
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 						On Oct 2, 2015, at 1:31 AM,
> psiinon <psiinon at gmail.com> wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 							OK, based on the
> concerns raised so far I think the board should initiate a review of the OWASP
> Benchmark project.
> 
> 
> 
> 
> 
> 							I'm not raising a formal
> complaint against it, I'm just requesting a review.
> 
> 
> 
> 
> 
> 							And I dont think it
> needs a 'standard' project review - Johanna has already done a very good job
> of this.
> 
> 
> 
> 
> 
> 							Not sure what sort of
> review you'd call it, I'll leave the naming to others :)
> 
> 
> 
> 
> 
> 
> 
> 
> 							I'm concerned that we
> have an OWASP project lead by a company who has a clear commercial stake
> in the results.
> 
> 
> 
> 
> 
> 							Bringing more
> companies on board will help, but I'm still not sure that alone will make it
> independent enough.
> 
> 
> 
> 
> 
> 							Commercial companies
> can afford to dedicate staff to improving Benchmark so that their products
> look better.
> 
> 
> 
> 
> 
> 							Open source projects
> just cant do that, so we are at a distinct disadvantage.
> 
> 
> 
> 
> 
> 							Should we allow a
> commercially driven OWASP project who's aim could be seen be to promote
> commercial software?
> 
> 
> 
> 
> 
> 							If so, what sort of
> checks and balances does it need?
> 
> 
> 
> 
> 
> 							Those are the sort of
> questions I'd like an independent review to look at.
> 
> 
> 
> 
> 
> 
> 							I do think there are
> some immediate steps that could be taken:
> 
> 
> 
> 
> 
> 
> 							*	I'd like to see
> the Benchmark project page clearly state thats its at a very early stage and
> that the results are _not_ yet suitable for use in commercial literature.
> 
> 
> 							*	I'd also like the
> main companies developing Benchmark to be clearly stated on the main
> page. If and when other companies get involved then this would actually
> help the project's claim of vendor independence.
> 
> 
> 							*	And I'd love to
> see a respected co-leader added to the project who is not associated with
> any commercial or open source security tools:)
> 
> 
> 
> 							And we should carry
> on discussing the project on this list - I think such discussions are very
> healthy, and I'd love to see this project mature to a state where it can be a
> trusted, independent and valued resource.
> 
> 
> 
> 
> 
> 
> 							Cheers,
> 
> 
> 
> 
> 
> 
> 
> 
> 							Simon
> 
> 
> 
> 
> 
> 
> 							On Thu, Oct 1, 2015 at
> 7:59 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> 
> 
> 
> 
> 
> 
> 								@Simon:
> 
> 
> 								yes, the
> leaders list is the place for your discussions for project and chapter leaders
> 
> 
> 								@Timo: I like
> your framing of "Don't ask what OWASP can do for me, ask what I can do for
> OWASP."
> 
> 
> 								That should
> and is indeed the spirit of OWASP:-)
> 
> 
> 								Best regards,
> Tobias
> 
> 
> 
> 
> 
> 
> 								On 30/09/15
> 09:42, Timo Goosen wrote:
> 
> 
> 
> 
> 	...
> 
> 	[Message clipped]
> 	_______________________________________________
> 	Owasp-board mailing list
> 	Owasp-board at lists.owasp.org
> 	https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> 
> 
> 
> 
> 
> --
> 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader






More information about the OWASP-Leaders mailing list