[Owasp-leaders] OWASP connector

Larry Conklin larry.conklin at owasp.org
Tue Apr 25 14:43:49 UTC 2017


*Isn't this the same kind of thing that everyone lost their mind over with
Contrast? *Yes, but what I don't understand is why something's get the
community into an up roar and other things don't. I liked the idea of the
benchmark project but yes it was could be easily gamed for marketing and it
was. But here we go again but this time the people yelling about the
benchmark project are silent including the board. In this case this was
done with staff approval.

*Because the Top 10 have been turned into false Compliance benchmarks,
companies are saying they help with them or are compliant with them. *Yes
perhaps the top ten project could put in their documentation saying the top
ten can't every be a true benchmark for marketing. Any input from the top
ten project?

On Mon, Apr 24, 2017 at 5:47 PM, Ian Gorrie <ian.gorrie at owasp.org> wrote:

> Since we decommissioned the benchmarking project because they were too
> easily gamed for marketing (I remember those thread conclusions correctly,
> right?) in the fallout of the last incident, is there a strategic direction
> we should take with this or at least begin to discuss?
>
> I guess that basically comes down to "does owasp want to have a magic
> quadrant for rasp/sec-as-a-service/static/dynamic analysis vendors" and,
> since everyone works for or with whoever this is, is it a realistic goal
> for owasp?
>
> Might this just be a perennial panel discussion at events?
>
> I'm sure people have given this a lot of thought, so since it's been a
> bit, I thought that I would ask.  It seems to me that a flat no to all
> doesn't help mere humans with these kinds of architecture and assurance
> measurement and analysis.
>
> -i
>
> On Mon, Apr 24, 2017 at 2:18 PM, Todd Grotenhuis <
> todd.grotenhuis at owasp.org> wrote:
>
>> The reason we're still talking about it is because it is a weakness that
>> keeps getting exploited.
>>
>> Because the Top 10 have been turned into false Compliance benchmarks,
>> companies are saying they help with them or are compliant with them. And
>> because there is business incentive to do that (e.g. PCI money), we see
>> corporate manipulation of the Top 10 (e.g. new A7) to support companies
>> that are compliant with or deal with certain Top 10 issues. It's not going
>> to go away until we are more clear what the Top 10 represents and what it
>> may and may not be used for. It remains an open weakness in our design.
>>
>> On Mon, Apr 24, 2017 at 5:08 PM, Ian Gorrie <ian.gorrie at owasp.org> wrote:
>>
>>> Isn't this the same kind of thing that everyone lost their mind over
>>> with Contrast?
>>>
>>> Surprising that it would be repeated a year later.
>>>
>>> -i
>>>
>>> On Mon, Apr 24, 2017 at 11:16 AM, Larry Conklin <larry.conklin at owasp.org
>>> > wrote:
>>>
>>>> On this month's OWASP connector what does vendor Kiuwan mean in their
>>>> ad saying their product is "Full OWASP Compliance"?
>>>>
>>>> I understand right below the add in small print it says "Ads are not
>>>> endorsements and reflect the messages of the advertiser only. They
>>>> represent co-marketing arrangements with other organizations in
>>>> support of the OWASP Community."
>>>>
>>>> But saying something is "Full OWASP Compliance" in larger print on our
>>>> own email used to communicate to the entire community seems to fly in the
>>>> face of being vendor agnostic.
>>>>
>>>> Larry Conklin, CISSP, CSSLP
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170425/cba25390/attachment.html>


More information about the OWASP-Leaders mailing list