posted 13 years ago
OWASP does NOT endorse or certiry any commercial products or services.
At the moment, we also do not "certify" any individuals though as Ferdinand mentioned, there is an active effort to explore this possibility.
What you have most likely run into is company literature that states that their product "conforms to" or "protects against" the OWASP Top 10.
In some ways, this is akin to a web browser stating they are ACID2 compliant, or a website stating they are W3C-standards compliant.
The reality though is that the OWASP Top 10 project is not a "standard" - it is a document whose goal is "to raise awareness about application security by identifying some of the most critical risks facing organizations."
What most commercial products mean when they allude to the Top 10 or to OWASP in general is that they believe their tool or product can help a company identify application security vulnerabilities such as those frequently cited by OWASP. As with any commercial product or service, obviously your mileage may vary.
OWASP will occasionally issues statements applauding companies for recognizing the importance of application security and secure development principles, but OWASP does NOT make any evaluation on the quality of any commercial product or service.
-Jason
OWASP Global Projects Committee Chair