Attention: If Acunetix is an OWASP member but for any reasons is not listed on the OWASP website, everything’s OK from my point of view and this posting is irrelevant at all. But I found no information about an OWASP membership by Acunetix on the Net. Also I’m not a lawyer so the following posting is just about my own thoughts.
When I was in Milan at this years OWASP Application Security Conference in Europe, there was much discussion about companies which are abusing the OWASP brand. Myself I also saw some abuses by some companies but nothing was really some kind of “hey everyone we’ve got OWASP in our product” and also after I’ve talked to them, they removed the things which weren’t OK, so that everything is legal again. Now today I came across the website of Acunetix and I’ve seen that they’ve got a new version of their web vulnerability scanner, so I was looking at the new features they’ve implemented. Because of this, I came also to the page here where Acunetix wrote:
Acunetix Web vulnerability scanner includes an extensive reporting module which can generate reports that show whether your web applications meet the new VISA PCI Data Compliance requirements or whether OWASP top 10 vulnerabilities are present.
OK, they have implemented something like an “OWASP Top 10 – Check” to see if an application is compliant to the Payment Card Industry Data Security Standard (PCI DSS). The first thing which I’ve asked myself then was: Why do these guys check that stuff from outside because if I remember right, the OWASP Top 10 will really become a requirement in 2008 for this standard but only for source code reviews and this is not a source code vulnerability scanner. Anyway, let them test that stuff from outside, this might also be helpful. But then immediately it came to my mind: The have implemented the OWASP Top 10 into their product but hey, have I ever seen the Acunetix logo on the OWASP members website? The answer is of course no, there’s no Acunetix logo at all which means that it seems that this company haven’t got a membership and let’s have a look in the OWASP wiki and look at the membership page to see, what this means.
Benefits unique to members
- A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.
- Visibility for your organization’s tangible commitment to application security through its inclusion in the members list on the OWASP website and promotional materials.
- The right to use the OWASP name and membership mark to show that you are an OWASP Member. Note that the mark must not be used in any way that might indicate that OWASP supports a commercial product or service.
- Discounts to the OWASP AppSec and other security conferences and events. See the OWASP Member Offers page for the most current discounts available to OWASP Members. NOTE: Some of these discounts are greater than or equal to the cost of an individual OWASP Membership.
Benefits that also apply to all OWASP participants (even non-members)
- An active voice in the development of OWASP Materials that are becoming widely accepted as an application security standard for all organizations.
- Timely electronic notification of updates to the OWASP Materials.
- Collaboration with other highly skilled people from organizations around the world, both virtually and in person during periodic OWASP AppSec conferences and chapter meetings.
- Authorization to create an account and edit pages on the www.owasp.org website (WIKI based)
OK, so have a look at the sceenshot they’ve got on their website:
For me at least this looks like a proof that they’ve directly implemented the OWASP Top 10 which is an Open Source Document (by it’s license) in their proprietary product. And now look at the first point of the list of “Benefits unique to members”:
“A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.”. This means, that Aconetix as a non-member is not allowed to use the OWASP Top 10 in their product because it’s proprietary.
My conclusion on this story is, that Acunetix has broken the law and so they have to remove the OWASP parts out of their scanner (and eventually pay something to the OWASP because of the license abuse) or they’ll have to put their web vulnerability scanner also under the same license as the OWASP Top 10 which will be AFAIK the GPL. Let’s go for it Acunetix, give us an open source webappsec scanner, the community will love you for that 
“A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects`
What’s the OWASP Commercial License and how is that possible to make a document both under GPL and OWASP Commercial License. If someone touch the OWASP documents does that mean those authors accept to release these documents under OWASP commercial license? Or do they know that?
It make sense since OWASP is a foundation so not big deal, but it’s interesting to learn such a OWASP commercial license exist.
Hi John,
you’ll find (hopefully) all information you need on the OWASP membership page and here you’ll find anything about the OWASP Commercial License.
Hope that I was able to help you
> Why do these guys check that stuff from outside because if I remember right,
> the OWASP Top 10 will really become a requirement in 2008 for this standard
> but only for source code reviews and this is not a source code vulnerability scanner
Maybe for the buzz… OWASP Top Ten is really famous now, and it’s good for a vendor to say, “I handle OWASP Top Ten vulns!”
Btw, did you check if some guys working in Acunetix were OWAPS members? Let’s say, Bogdan Calin perhaps? (didn’t check either, but I guess it would be bad advertisement for them if there are not…)
Yes, a violation of rights, so Acunetix will likely (or already has) receive a cease and desist letter to remove that content.
The PCI DSS Requirement 6.5 states that there must be a verifiable process in place by the application developers to code around the attack vectors in the OWASP Top Ten. This has been in place since the 1.0 version, and it seems to refer only to the OWASP Top Ten 2004.
The requirement about code review sounds to me like it will be a part of Requirement 6.6, the one that requires a code review or web application firewall.
@nEUrOO
I didn’t check if any of their employees is an OWASP member but the latest information I’ve got is that non of them have a membership and even if one or more of them got an “Individual Member”-Membership, this won’t allow them to use the OWASP Top 10 in the way, Acunetix is doing it if the company isn’t an OWASP member.
@dre
Thanks for your comments on the PCI DSS. Yes actually the old OWASP Top 10 is mentioned in the standard under point 6.5 but it (hopefully the 2007 version) will become a requirement at least for code reviews in 2008 because:
In the PCI DSS under point 6.6 is written”Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security” and if I understand right what they mean with “common vulnerabilities”, they mean at least the OWASP Top 10 or even more. Then have a look at the note below point 6.6, there’s written “This method is considered a best practice until June 30, 2008, after which it becomes a requirement.”
So, the OWASP Top 10 will be part of any PCI compliant source code review and also other tests should at least check for this ten vulnerability types. Sorry for what I wrote about that in my posting because then it could also make sense to implement something like this into a web vulnerability scanner but of course this will not change the legal situation Acunetix is in, in any way.
I went looking for the license for the OWASP Top Ten, and couldn’t find it on the wiki pages or in the Top Ten PDF. How is it licensed? Even though the document may be licensed, what other IP protections apply to the ideas represented in the Top Ten? IANAL, but I think your accusations may have no legal basis.
“Hi John,
you’ll find (hopefully) all information you need on the OWASP membership page and here you’ll find anything about the OWASP Commercial License.
Hope that I was able to help you
”
I’ve checked that page right after I send the comment but that page either non of the other OWASP pages that I’ve able to find information about the license has no information about my 2 questions.
1) How is that possible to make a document both under GPL and OWASP Commercial License
2) If someone touch the OWASP documents does that mean those authors accept to release these documents under OWASP commercial license? Or do they know that?
@ Laura
Of course it’s not possible to set any license to the mentioned topics in the OWASP Top 10 but you can set a license to a document which describe them and in this case, Acunetix has used exactly the OWASP Top 10 document in their product.
@ John
1.) I’m as written at the beginning of this posting not a lawyer but there seems to be some possibilities for doing dual license stuff as you can see at the end of this comment.
2.) Especially for this, there’s a Contributor License Agreement.
@ Everyone
For more information on how the OWASP stuff is licensed you should have a look at the OWASP Licenses page where you would find the following part:
“All software, documentation, and other materials produced by The OWASP Foundation or any of its projects is licensed according to one of the approved open source licenses, such as the GNU “Lesser” GNU Public License (LGPL) or the GNU Free Documentation License (GFDL). In addition, individuals or organization that become a member have the option of using OWASP Materials under a commercial license that allows modification and internal redistribution.”
If there are any other questions, just ask and I’ll try to answer as good as I can
Thanks for the kind response Dis,
After reading licenses and contribution agreement, Still dual licensing sounds dodgy to me but apparently it’s working even tough I don’t believe the concept. If it’s GPL it should be GPL even they pay to OWASP! Otherwise what’s point of a so-called GPL license?
I’m sure OWASP has a better description of all this dual licensing stuff and possibly they’ll release in OWASP some days.
I think at least Jeff Williams (OWASP Chair) who’s AFAIK also a specialist on cyberlaw, will really know about the licenses used in the OWASP and for sure everything should (hopefully) be correct. If you John like to get more information on the dual license thing, I can contact Jeff for you in my position as OWASP Switzerland Local Chapter Leader and ask him for more information on this.
Is this the official position of OWASP? Since OWASP seems to be an open source project with a non commercial objective, we did not think that including a report for the OWASP top 10 vulnerabilities would cost $9000 per year (the cost to be a vendor member)
In any case, just to be on the safe side we will be removing any reference to OWASP from our website and in the next build of our software OWASP references will be removed.
Hi Nick,
as I wrote at the beginning of this blog posting, everything in it are just my personal thoughts based on the things I know about the OWASP license model. To be on the safe side about what you can do with OWASP material and under what licenses, you should perhaps get in touch with Jeff Williams because he can for sure help you on that
Hi Disenchant,
Thanks for your quick reply. We have decided to remove all references to OWASP instead – its better to be on the safe side. We prefer to focus on making software rather then getting into legal stuff and being accused of Abuse
Hi Nick,
this decision is up to Acunetix of course but I think it’s not that hard to find a good way with Jeff so that both, Acunetix and the OWASP can be winners. My personal recommendation to you is to have a look at this with Jeff and decide afterwards what you’d like to do instead of just say that you don’t want to deal with legal stuff.
Are you being serious ? There is nothing wrong with testing for TOP 10 OWASP Vulnerabilties, they are not OWASP inventions nor are they being patented/trademarked or otherwise protected. They refer to industry named vulnerabilities nothing else.
Would it be fair if acunetix is/became a OWASP member ? Surely. Is it required, IMHO no it isn’t.
Hi Thierry,
as I wrote at the beginning of the posting; IANAL.
The problem I’ve seen with the webappsec scanner of Acunetix was not that they’ve tested for these vulnerabilities because of course you’re right that these aren’t “patented/trademarked or otherwise protected”. The Problem was, that they had just copied out whole parts of the original OWASP Top 10 document and also made their product more attractive by saying that they are testing for these OWASP Top 10 and these two things IMHO require an OWASP membership.
http://www.owasp.org/index.php/OWASP_brand_usage_rules
I don’t know where the LGPL vs. GPL arguments come from. This isn’t about software at all. It’s about brand. The above URL contains all the information you want on the subject.
Hi dre,
unfortunately I don’t think that this case discussed here will be covered by the page you’ve liked. From my point of view it’s a license violation by Acunetix which has to do with the license and not directly with the OWASP but this leads into an abuse of the OWASP brand because OWASP is built upon the OWASP projects. So, even if this is not written explicit in the brand usage rules on owasp.org, this is IMHO a brand abuse.
The only thing I can read out of the “OWASP brand usage rules” is “Currently there are no OWASP Published Standards” and “6. The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.” and this is exactly what Acunetix has done.
Anyway I hope that the OWASP will spend some more time on the license and the OWASP brand stuff because this “discussion” on this posting here shows me, that it’s not as clear as it seems to be. This will give the OWASP the possibility to really do something against companies which abuse the OWASP brand.