[Owasp-leaders] OWASP Benchmark project - potential conflict of interest

Tobias tobias.gondrom at owasp.org
Thu Oct 1 18:59:50 UTC 2015


@Simon:
yes, the leaders list is the place for your discussions for project and 
chapter leaders
@Timo: I like your framing of "Don't ask what OWASP can do for me, ask 
what I can do for OWASP."
That should and is indeed the spirit of OWASP:-)
Best regards, Tobias



On 30/09/15 09:42, Timo Goosen wrote:
> I don't know enough about the matter to comment on this case, but I 
> feel that any situation where an OWASP project or any OWASP initiative 
> for that matter, is using OWASP to promote its own business interests 
> should be stopped.  We need to get rid of bad apples in OWASP.
>
> OWASP is becoming a brand if you would like to think of it that way 
> and we are going to see many more cases of people trying to use OWASP 
> to spread their business interests. At the end of the day everyone 
> should be acting with an attitude of:"Don't ask what OWASP can do for 
> me, ask what I can do for OWASP?"
>
>
>
> Regards.
> Timo
>
> On Wed, Sep 30, 2015 at 11:48 AM, psiinon <psiinon at gmail.com 
> <mailto:psiinon at gmail.com>> wrote:
>
>     So, a load of controversy about OWASP Benchmark on twitter, but no
>     discussion on the leaders list :(
>     Is this now the wrong place to discuss OWASP projects??
>
>     Simon
>
>
>     On Thu, Sep 24, 2015 at 10:36 AM, psiinon <psiinon at gmail.com
>     <mailto:psiinon at gmail.com>> wrote:
>
>         Hi folks,
>
>         I've got some concerns about the OWASP Benchmark project.
>
>         I _like_ benchmarks, and I'm very pleased to see an active
>         OWASP project focused on delivering one.
>         I think the project has some technical limitations, but thats
>         fine given the stage the project is at, ie _very_ early.
>         I dont think that any firm conclusions should be drawn from it
>         until its been significantly enhanced.
>
>         My concerns are around the marketing that one of the companies
>         sponsoring the Benchmark project has started using.
>
>         Here we have a company that leads an OWASP project that just
>         happens to show that their offering in this area appears to be
>         _significantly_ better than any of the competition.
>         Their recent press release stresses that its an OWASP project,
>         make the most of the fact that the US DHS helped fund it but
>         make no mention of their role in developing it.
>
>         Regardless of the accuracy of the results, it seems like a
>         huge conflict of interest :(
>
>         It appears that I'm not the only one with concerns related to
>         the project:
>
>         https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
>
>         What do other people think?
>
>         Cheers,
>
>         Simon
>
>         -- 
>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
>     -- 
>     OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151001/2bf03c23/attachment.html>


More information about the OWASP-Leaders mailing list