[Owasp-leaders] OWASP Benchmark project - potential conflict of interest

Jim Manico jim.manico at owasp.org
Mon Oct 5 02:22:46 UTC 2015


Akash,

Here are some of the resources that I use to try and understand OWASP 
values and culture around commercial affiliations.

*From 
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project*
"Our freedom from commercial pressures allows us to provide unbiased, 
practical, cost-effective information about application security. OWASP 
is not affiliated with any technology company, although we support the 
informed use of commercial security technology."

*From our bylaws: 
https://www.owasp.org/index.php/OWASP_Foundation_ByLaws_Wiki_2014-APR-07*
"Core Values

*OPEN*Everything at OWASP is radically transparent from our finances to 
our code.

*INNOVATION*OWASP encourages and supports innovation and experiments for 
solutions to software security challenges.

*GLOBAL*Anyone around the world is encouraged to participate in the 
OWASP community.

*INTEGRITY*OWASP is an honest and truthful, vendor neutral, global 
community" <--


*From our chapter handbook: 
https://www.owasp.org/index.php/Chapter_Handbook/Chapter_7:_Organizing_Chapter_Meetings*

"In order to ensure that presentations remain vendor neutral and don’t 
turn into platforms for a sales pitch, it is recommended that you screen 
the presentations before the meeting."


*From our project handbook: 
https://www.owasp.org/images/d/d8/PROJECT_LEADER-HANDBOOK_2014.pdf**
*
"OWASP Projects must uphold the integrity of the OWASP Foundation, and 
must not unduly promote a specific company, vendor, or organization. 
While OWASP welcomes corporate sponsorship of a project, Project Leaders 
must ensure that any such relationship is disclosed, and that the 
project continues to be a vendor agnostic endeavor."

Aloha,
- Jim


> The OWASP license allows for adapting, building upon and transforming 
> its content even commercially.
>
> So why would it be a bad thing to promote business interests? Aren't 
> businesses a legitimate part of the security ecosystem?
>
> Would brand promotion not be allowed under such a license as long as 
> attribution is in place?
>
> On 2 October 2015 at 00:29, Tobias <tobias.gondrom at owasp.org 
> <mailto:tobias.gondrom at owasp.org>> wrote:
>
>     @Simon:
>     yes, the leaders list is the place for your discussions for
>     project and chapter leaders
>     @Timo: I like your framing of "Don't ask what OWASP can do for me,
>     ask what I can do for OWASP."
>     That should and is indeed the spirit of OWASP:-)
>     Best regards, Tobias
>
>
>
>
>     On 30/09/15 09:42, Timo Goosen wrote:
>>     I don't know enough about the matter to comment on this case, but
>>     I feel that any situation where an OWASP project or any OWASP
>>     initiative for that matter, is using OWASP to promote its own
>>     business interests should be stopped.  We need to get rid of bad
>>     apples in OWASP.
>>
>>     OWASP is becoming a brand if you would like to think of it that
>>     way and we are going to see many more cases of people trying to
>>     use OWASP to spread their business interests. At the end of the
>>     day everyone should be acting with an attitude of:"Don't ask what
>>     OWASP can do for me, ask what I can do for OWASP?"
>>
>>
>>
>>     Regards.
>>     Timo
>>
>>     On Wed, Sep 30, 2015 at 11:48 AM, psiinon <psiinon at gmail.com
>>     <mailto:psiinon at gmail.com>> wrote:
>>
>>         So, a load of controversy about OWASP Benchmark on twitter,
>>         but no discussion on the leaders list :(
>>         Is this now the wrong place to discuss OWASP projects??
>>
>>         Simon
>>
>>
>>         On Thu, Sep 24, 2015 at 10:36 AM, psiinon <psiinon at gmail.com
>>         <mailto:psiinon at gmail.com>> wrote:
>>
>>             Hi folks,
>>
>>             I've got some concerns about the OWASP Benchmark project.
>>
>>             I _like_ benchmarks, and I'm very pleased to see an
>>             active OWASP project focused on delivering one.
>>             I think the project has some technical limitations, but
>>             thats fine given the stage the project is at, ie _very_
>>             early.
>>             I dont think that any firm conclusions should be drawn
>>             from it until its been significantly enhanced.
>>
>>             My concerns are around the marketing that one of the
>>             companies sponsoring the Benchmark project has started using.
>>
>>             Here we have a company that leads an OWASP project that
>>             just happens to show that their offering in this area
>>             appears to be _significantly_ better than any of the
>>             competition.
>>             Their recent press release stresses that its an OWASP
>>             project, make the most of the fact that the US DHS helped
>>             fund it but make no mention of their role in developing it.
>>
>>             Regardless of the accuracy of the results, it seems like
>>             a huge conflict of interest :(
>>
>>             It appears that I'm not the only one with concerns
>>             related to the project:
>>
>>             https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
>>
>>             What do other people think?
>>
>>             Cheers,
>>
>>             Simon
>>
>>             -- 
>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>             leader
>>
>>
>>
>>
>>         -- 
>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> Warm regards,
> Akash Mahajan
>
> /That Web Application Security Guy/ | +91 99 805 271 82
> akashm.com <http://akashm.com> | /@makash/ on twitter | 
> linkd.in/webappsecguy <http://linkd.in/webappsecguy>
> /OWASP Bangalore Chapter Lead | null Community Manager/
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151004/964ec85d/attachment-0001.html>


More information about the OWASP-Leaders mailing list