Posted here since reply was not appreciated on the Websecurity list. http://www.disenchant.ch/blog/abuse-of-the-owasp-brand-by-acunetix
> Myself I also saw some abuses by some companies Abuses on the Internets from the Acunetix evil doers. >and also after Ive talked to them, they removed the things which >werent OK So your policing the internet for compliance? Ok, you have contacted other vendors? Good. Then I ask myself if you you also have contacted Acunetix and asked them about it? >From the blog comments I see that in fact you have not, so I ask myself why do you have talked to "other vendors" about it while you choose a blog post an maliling list post for Acunetix. Are they kind of evil ? Do they need to be taught a lessong >My conclusion on this story is, that Acunetix has broken the law The law? IF they have broken anything at all they would have broken a license, not the law. If law making is done by posting something to a website, hell I'll just create one right now. >so they have to remove the OWASP parts out of their scanner What OWASP Part is in their scanner ? The name ? Isn't the rest just vulnerabilies ? >(and eventually >pay something to the OWASP because of the license abuse) Since when is using a name a license abuse ? (Again supposing all they used was the name) >or theyll have >to put their web vulnerability scanner also under the same license as the >OWASP Top 10 which will be AFAIK the GPL. No it's _not_ the GPL, you even say it on your own blog, it's the LGPL. You have not understood the *GPL license at all. it is just not true to say that all derivative works or all works embedding *GPL software will automatically become *GPL. Not to mention USING the word "OWASP TOP 10" is surely not "derived work" Why do you think OWASP is LGPL and not GPL ? [1] The main difference between the LGPL and GPL is an exception provision that permits the use of LGPL'ed libraries to be "combine[d] or link[ed]" with works that use the library and distribution of the aforementioned work under any terms, provided that these terms permit modification of the work for the customer's own use and reverse engineering for debugging. Simply put, this implies that one is allowed to use LGPL'ed libraries and link them with other open-source software - even not licensed under the LGPL. [1]http://www.objectweb.org/phorum/read.php?f=18&i=6&t=6 Actually, these licenses say : "if identifiable sections of [derivative work] are not derived from the [original software] and can be reasonably considered independent and separate works in themselves, then the [*GPL], and its terms, do not apply to those sections when [one] distributes them as separate works". I am sorry, but checking for XSS or SQL injections is clearly not derived work from OWASP, the only problem here is that they use the term OWASP and that's pretty much it. There is nothing wrong with testing for TOP 10 OWASP Vulnerabilties, they are not OWASP inventions nor are they being patented/trademarked or otherwise protected. They refer to industry named vulnerabilities nothing else. Would it be fair if acunetix is/became a OWASP member ? Surely. Is it required, IMHO no it isn't. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
