[Owasp-leaders] OWASP connector

Ian Gorrie ian.gorrie at owasp.org
Mon Apr 24 21:47:19 UTC 2017

Since we decommissioned the benchmarking project because they were too
easily gamed for marketing (I remember those thread conclusions correctly,
right?) in the fallout of the last incident, is there a strategic direction
we should take with this or at least begin to discuss?

I guess that basically comes down to "does owasp want to have a magic
quadrant for rasp/sec-as-a-service/static/dynamic analysis vendors" and,
since everyone works for or with whoever this is, is it a realistic goal
for owasp?

Might this just be a perennial panel discussion at events?

I'm sure people have given this a lot of thought, so since it's been a bit,
I thought that I would ask.  It seems to me that a flat no to all doesn't
help mere humans with these kinds of architecture and assurance measurement
and analysis.


On Mon, Apr 24, 2017 at 2:18 PM, Todd Grotenhuis <todd.grotenhuis at owasp.org>

> The reason we're still talking about it is because it is a weakness that
> keeps getting exploited.
> Because the Top 10 have been turned into false Compliance benchmarks,
> companies are saying they help with them or are compliant with them. And
> because there is business incentive to do that (e.g. PCI money), we see
> corporate manipulation of the Top 10 (e.g. new A7) to support companies
> that are compliant with or deal with certain Top 10 issues. It's not going
> to go away until we are more clear what the Top 10 represents and what it
> may and may not be used for. It remains an open weakness in our design.
> On Mon, Apr 24, 2017 at 5:08 PM, Ian Gorrie <ian.gorrie at owasp.org> wrote:
>> Isn't this the same kind of thing that everyone lost their mind over with
>> Contrast?
>> Surprising that it would be repeated a year later.
>> -i
>> On Mon, Apr 24, 2017 at 11:16 AM, Larry Conklin <larry.conklin at owasp.org>
>> wrote:
>>> On this month's OWASP connector what does vendor Kiuwan mean in their ad
>>> saying their product is "Full OWASP Compliance"?
>>> I understand right below the add in small print it says "Ads are not
>>> endorsements and reflect the messages of the advertiser only. They
>>> represent co-marketing arrangements with other organizations in
>>> support of the OWASP Community."
>>> But saying something is "Full OWASP Compliance" in larger print on our
>>> own email used to communicate to the entire community seems to fly in the
>>> face of being vendor agnostic.
>>> Larry Conklin, CISSP, CSSLP
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170424/f6da68ab/attachment.html>

More information about the OWASP-Leaders mailing list