[Owasp-leaders] OWASP Benchmark project - potential conflict of interest

johanna curiel curiel johanna.curiel at owasp.org
Fri Oct 2 13:01:22 UTC 2015


Members,

OWASP and the OWASP Benchmark project should make a statement that the
project is at a very early stage as we already have officially made a
review where we confirm this stage.

For what reason do we do then Project reviews? The review is the statement
and no vendor should use their position to misuse an owasp project for
their benefit making claims that unfortunately are not in accordance with
the actual situation, this is damaging for OWASP image.

In the following comment, I mentioned this on the same article Jeff
Williams promotes the Benchmark:
http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274
?

In the review we did, it was also clear that the tool is still at his
infancy and it needs more testing.

I think OWASP needs someone to play the role of PR and make a statement.

Regarding having a co-leader without any conflict of interest I also agree.
So much that the OWASP Research Initiative will use this project to do
Individual testing and publish the results founds in a form of white paper
later during this year and next year

Regards

Johanna

PS
If this does not appear in the mailing list, could anyone reply? Thank you.


On Thu, Oct 1, 2015 at 2:59 PM, Tobias <tobias.gondrom at owasp.org> wrote:

> @Simon:
> yes, the leaders list is the place for your discussions for project and
> chapter leaders
> @Timo: I like your framing of "Don't ask what OWASP can do for me, ask
> what I can do for OWASP."
> That should and is indeed the spirit of OWASP:-)
> Best regards, Tobias
>
>
>
>
> On 30/09/15 09:42, Timo Goosen wrote:
>
> I don't know enough about the matter to comment on this case, but I feel
> that any situation where an OWASP project or any OWASP initiative for that
> matter, is using OWASP to promote its own business interests should be
> stopped.  We need to get rid of bad apples in OWASP.
>
> OWASP is becoming a brand if you would like to think of it that way and we
> are going to see many more cases of people trying to use OWASP to spread
> their business interests. At the end of the day everyone should be acting
> with an attitude of:"Don't ask what OWASP can do for me, ask what I can do
> for OWASP?"
>
>
>
> Regards.
> Timo
>
> On Wed, Sep 30, 2015 at 11:48 AM, psiinon <psiinon at gmail.com> wrote:
>
>> So, a load of controversy about OWASP Benchmark on twitter, but no
>> discussion on the leaders list :(
>> Is this now the wrong place to discuss OWASP projects??
>>
>> Simon
>>
>>
>> On Thu, Sep 24, 2015 at 10:36 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> Hi folks,
>>>
>>> I've got some concerns about the OWASP Benchmark project.
>>>
>>> I _like_ benchmarks, and I'm very pleased to see an active OWASP project
>>> focused on delivering one.
>>> I think the project has some technical limitations, but thats fine given
>>> the stage the project is at, ie _very_ early.
>>> I dont think that any firm conclusions should be drawn from it until its
>>> been significantly enhanced.
>>>
>>> My concerns are around the marketing that one of the companies
>>> sponsoring the Benchmark project has started using.
>>>
>>> Here we have a company that leads an OWASP project that just happens to
>>> show that their offering in this area appears to be _significantly_ better
>>> than any of the competition.
>>> Their recent press release stresses that its an OWASP project, make the
>>> most of the fact that the US DHS helped fund it but make no mention of
>>> their role in developing it.
>>>
>>> Regardless of the accuracy of the results, it seems like a huge conflict
>>> of interest :(
>>>
>>> It appears that I'm not the only one with concerns related to the
>>> project:
>>>
>>> https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
>>>
>>> What do other people think?
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151002/f23eb1c0/attachment-0001.html>


More information about the OWASP-Leaders mailing list