Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Thierry Zoller (ThierryZoller.lu)
Date: Thu Sep 06 2007 - 18:50:47 CDT
Posted here since reply was not appreciated on the Websecurity list.
> Myself I also saw some abuses by some companies
Abuses on the Internets from the Acunetix evil doers.
>and also after I’ve talked to them, they removed the things which
So your policing the internet for compliance? Ok, you have contacted
other vendors? Good.
Then I ask myself if you you also have contacted Acunetix and asked
them about it?
>From the blog comments I see that in fact you have not, so I ask myself why
do you have talked to "other vendors" about it while you choose a blog post
an maliling list post for Acunetix. Are they kind of evil ? Do they
need to be taught a lessong
>My conclusion on this story is, that Acunetix has broken the law
The law? IF they have broken anything at all they would have broken
a license, not the law. If law making is done by posting something
to a website, hell I'll just create one right now.
>so they have to remove the OWASP parts out of their scanner
What OWASP Part is in their scanner ? The name ? Isn't the rest just
>pay something to the OWASP because of the license abuse)
Since when is using a name a license abuse ? (Again supposing all they
used was the name)
>or they’ll have
>to put their web vulnerability scanner also under the same license as the
>OWASP Top 10 which will be AFAIK the GPL.
No it's _not_ the GPL, you even say it on your own blog, it's the
You have not understood the *GPL license at all. it is just not true to
say that all derivative works or all works embedding *GPL software will
automatically become *GPL.
Not to mention USING the word "OWASP TOP 10" is surely not "derived
Why do you think OWASP is LGPL and not GPL ?
The main difference between the LGPL and GPL is an exception provision
that permits the use of LGPL'ed libraries to be "combine[d] or link[ed]"
with works that use the library and distribution of the aforementioned
work under any terms, provided that these terms permit modification of
the work for the customer's own use and reverse engineering for debugging.
Simply put, this implies that one is allowed to use LGPL'ed libraries
and link them with other open-source software - even not licensed
under the LGPL.
Actually, these licenses say : "if identifiable sections of [derivative work]
are not derived from the [original software] and can be reasonably considered
independent and separate works in themselves, then the [*GPL], and its terms,
do not apply to those sections when [one] distributes them as separate works".
I am sorry, but checking for XSS or SQL injections is clearly not
derived work from OWASP, the only problem here is that they use the
term OWASP and that's pretty much it.
There is nothing wrong with testing for TOP 10 OWASP Vulnerabilties,
they are not OWASP inventions nor are they being patented/trademarked
or otherwise protected. They refer to industry named vulnerabilities
Would it be fair if acunetix is/became a OWASP member ? Surely. Is it
required, IMHO no it isn't.
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/