[Global_industry_committee] Nice idea to discuss and follow-up - [Fwd: IMPORTANT Please forward to Georg Hess BEFORE Tuesday]

Christian Heinrich christian.heinrich at owasp.org
Tue Nov 10 15:50:16 EST 2009


Georg,

Security related e-mail aliases were defined in
http://www.rfc-archive.org/getrfc.php?rfc=2142 back in 1997.

On Tue, Nov 10, 2009 at 3:37 AM, Georg Heß <georg.hess at artofdefence.com> wrote:
> Dear members,
>
> pl find attached an idea that was brought up to me end of last week
> after an interview with the podcast journalist.
>
> I am not at all familiar whether there are already tons of initiatives
> like this one in the US but it might be a good topic to hook on and
> perhaps even discuss it on the Summit on Wednesday.
>
> I feel it is one of these opportunities where OWASP can actually do
> something... and which we could use in reaching out to "all industries,
> branches, etc... "
>
>
> I told Ira that although I am certainly much interested in following up
> with him I might just be the wrong person in particular for the US region.
>
> What do you think ?
>
> Looking forward to meeting you WED evening... my flights were already
> booked before the summit was announced...
>
> Cheers
> Georg
>
>
> -------- Original Message --------
> Subject: IMPORTANT Please forward to Georg Hess BEFORE Tuesday
> Date: Sat, 7 Nov 2009 22:58:02 -0500
> From: Ira Victor <Ira at dataclonelabs.com>
> To: Nicole Miscioscia <nicole at marchpr.com>
>
> Hello Georg,
> It was good to meet you on the phone this week. Here is the "elevator
> pitch" for Report Security Flaws:
>
> Report Security Flaws exists to increase awareness and responsiveness in
> Internet vendors and web site operators when they receive
> security-related disclosures.
>
> It is our hope that all vendors/operators maintain an email alias that
> exists for the sole purpose of receiving disclosure notices from parties
> reporting noted security flaws on the vendor/operator's web site. Report
> Security Flaws was established as a public service by Russ McRee of
> HolisticInfoSec.org and Ira Victor, of The Data Security Podcast.
>
> Further, said email alias should be monitored by individuals with an
> understanding of web application security issues and business logic
> flaws, while maintaining a close working relationship with the site
> developers and operations engineers. This relationship should allow for
> the quick escalation of reported issues for mitigation and remediation.
>
> Examples of such email alias might include:
> security at domain.com
> websecurity at domain.com
> webreports at domain.com
>
> Too often vendors and web site operators fail to manage the proper
> intake and escalation of reported security flaws, leading to lapses in
> web application security for days, weeks, and even months.
>
> We are very interesting in having OWASP incorporate this approach into
> its guidelines. It is our desire that this concepts spread to other
> organizations and standard setting bodies. We would be happy to provide
> more details and meet by phone or online web meeting.
>
> Sincerely,
> Ira Victor, GIAC G17799 GCFA GPCI GSEC  ISACA CGEIT
> Co-host, Data Security Podcast
> 30min every week on data security, privacy and the law
>
> Audio Stream: http://datasecuritypodcast.com
>
> On iTunes: http://itunes.datasecuritypodcast.com
>
>
> --
> Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
> T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837
>
> art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
> ------------------------------------------------------------------------
> Amtsgericht Regensburg HRB 9708
> Geschäftsführer:
> Dr. Georg Heß, Alexander Meisel
> ------------------------------------------------------------------------
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>



-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Global_industry_committee mailing list