[OCC] Mobile Apps Project + Conference

[dinis cruz]

Thanks

Question: All information below is public right?

I want to forward it to the owasp-leaders list and write a blog post about
it , so I just want to make sure that you are ok with disclosing it.

Dinis

2009/12/22 Giles Hogben <Giles.Hogben at enisa.europa.eu>

>  Hi All,
>
> As promised, here is a short description of our Mobile Apps project. Bottom
> line: we would like at least *one expert from OWASP with relevant
> expertise to contribute 5-10 days to the project from Jan to Sept 2010*.
> There will be at least 1 face to face in Europe, for which expenses can be
> paid by ENISA. We are still at the planning stage and will have a more
> detailed scope and ToR in early Jan.
>
>
>
> Please note also the conference we mentioned – the call for papers is here:
> http://www.cloudsecurityalliance.org/sc2010.html
>
>
>
> Finally, or your information and consideration, I’ve also included a short
> description of our ideas for 2011:
>
>
>
>
>   *Mobile applications – risks and dependencies on cloud infrastructure.*
>
> In the past year alone, mobile applications (apps) for Apple’s iphone and
> Google's Android platforms have seen a phenomenal growth, with Apple
> recently announced the billionth app download<http://www.apple.com/itunes/billion-app-countdown/>.
> The Pew Internet report<http://www.pewinternet.org/Reports/2008/The-Future-of-the-Internet-III.aspx>predicts that by 2020, more content will be consumed by mobile devices than
> all other platforms - the PC included.
>
>
>
> With mobile devices now playing an important role in everything from our
> social interactions to traffic flow control, it is important for ENISA to
> understand the security implications of this new phenomenon. For example, a recent
> high-profile incident<http://information-security-resources.com/2009/10/26/sidekick-goof-shows-cloud-computing-risks/>in which millions of customers’ data was irretrievably lost showed the
> importance of the dependency of mobile applications on cloud-based
> infrastructures supporting them. Furthermore, in November 2009, the first
> iPhone virus affecting internet banking <http://bit.ly/69kWj> was
> detected.
>
>
>
> In this project, ENISA will study and report on key risks in mobile “apps”
> with a focus on the dependency of thin-client architectures on back-end
> cloud systems. The report will recommend possible approaches to reduce risk
> in this area.
>
>
>
> The exact scope of the report will be based on a survey of existing work in
> the area and will be adjusted in order to complement any work already in
> progress in particular by the Commission and Member states.
>
>
> *Possible activities and deliverables for 2011 and beyond*
>
> Note that the following are just brief statements included in order to
> illustrate the vision. They will be discussed and if selected elaborated in
> the 2011 planning cycle.
>
>
>
> *Secure software development: *Working closely in conjunction with
> existing secure development initiatives, to collect and aggregate
> information, support, foster and promote existing initiatives. The precise
> strategy will depend on an initial stock-taking phase to be carried out
> either in 2010 or prior to this project in 2011. Examples of areas which may
> be covered are:
>
> ·         Testing methodologies
>
> ·         Collection and promotion of best practices and principles of
> secure development. Working closely with existing initiatives to support and
> enhance their effectiveness.
>
> ·         Formal verification processes
>
>
>
> *Software liability:* an independent study of the possible effects and
> consequences of software liability regulation. The aim of this study would
> not be to make a recommendation as to whether or not  software liability
> should be implemented, but to provide information and analysis on its
> possible implications and modes of implementation.
>
>
>
> *Secure supply chain applications:* a study of risks affecting
> applications concerned with supply chain delivery.
>
>
>
> *Acceptable and unacceptable risks for end-users:* a survey of available
> techniques for measuring the true impact and probability of application
> threats. There is currently a diverse array of measurement techniques for
> measuring the impact of threats, including honeypots to network sensors
> and AV data aggregation. None of these however measures the probability and
> level of real harm to a given individual. It may be that in the light of
> such an approach, certain end-user risks should better be considered
> acceptable while others which are currently considered acceptable should be
> addressed. For some background on the thinking behind this, please see
> http://bit.ly/5CXesN
>
>
>
> *High-dependability application security:* a study of risks and best
> practices in high dependability environments. This could include affecting
> applications concerned with supervision and control (SCADA) applications.
>
>
>
>
>
>
>
> Giles Hogben
>
> Programme Manager, Secure Applications
>
> European Network & Information Security Agency (ENISA)
>
> Tel: +30 2810 391892
>
> Fax: +30 2810 39000
>
>
>
>
>
>
>
>
>
> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
> *Sent:* 22 December 2009 15:15
> *To:* Daniele Catteddu
> *Cc:* Giles Hogben; Carlos Serrao; OWASP Foundation Board List; Colin
> Watson; Vinay Bansal (vibansal); Shankar Babu Chebrolu (shbabu)
> *Subject:* Re: Conference Call OWASP-ENISA
>
>
>
> I just tried the numbers on the Genesis system and multiple (PT, Spain, UK)
> don't seem to be working, so here is the OWASP one we could use  (1-866-534-4754,
> Code: 7452912855).
>
>
>
> Dinis
>
> 2009/12/22 Daniele Catteddu <Daniele.Catteddu at enisa.europa.eu>
>
> We got a problem with our Genesis system.
>
> Should you have an alternative solution that would be much more than
> welcome otherwise we try with Genesis
>
> Daniele
>
>
>
>
>
> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
> *Sent:* 22 December 2009 13:38
> *To:* Daniele Catteddu
> *Cc:* Giles Hogben; Carlos Serrao; OWASP Foundation Board List
>
>
> *Subject:* Re: Conference Call OWASP-ENISA
>
>
>
> Yes, I sent an invite to the OWASP Board and to the leaders of this OWASP
> Cloud Security project:
> http://www.owasp.org/index.php/Category:OWASP_Cloud_‐_10_Project
>
> Is there a phone bridge we can use?
>
>
>
> Dinis
>
>
>
> 2009/12/21 Daniele Catteddu <Daniele.Catteddu at enisa.europa.eu>
>
> Ok, 2 pm GTM. Diniz are you involving other people?
>
>
> --- original message ---
> From: "Dinis Cruz" <dinis.cruz at owasp.org>
> Subject: Re: Conference Call OWASP-ENISA
> Date: 21st December 2009
> Time: 5:21:12 pm
>
> I'm ok for 2pm tomorrow
>
> Dinis Cruz
>
> On 21 Dec 2009, at 06:26, "Giles Hogben"
> <Giles.Hogben at enisa.europa.eu> wrote:
>
> > Sorry I have got another appointment at 12.30 UTC/GMT. Can we shift
> > it to 14.00 UTC/GMT
> >
> > We could also explain our project on cloud computing assurance,
> > which might be of interest.
> >
> > Cheers,
> >
> > Giles
> >
> >
> > _____________________________________________
> > From: Daniele Catteddu
> > Sent: 20 December 2009 20:42
>
> > To: dinis.cruz at owasp.org; Carlos Serrao; Giles Hogben
>
> > Subject: Conference Call OWASP-ENISA
> >
> >
> > Dear Carlos and Diniz
> >
> > It was a pleasure to talk with during the IBWAS Conference in Madrid.
> >
> > Now as already  discussed,  I would like to set up a conf call
> > between us to verify the potentiality and feasibility of a possible
> > collaboration between OWASP and ENISA.
> >
> > There are 2 main points I would like to discuss with you:
> >
> > 1)      Involvement of OWASP representatives in ENISA’s project on c
> > loud computing and mobile applications
> >
> > 2)      Possible medium term actions (from now to 2011)
> >
> >
> > You might want to invite for this call other relevant OWASP
> > representative.
> >
> > I propose Tuesday the 22nd at 12 GTM.
> >
> > Please let me know.
> >
> > Regards
> >
> > Daniele
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-connections-committee/attachments/20100108/a2dac42a/attachment-0001.html