[Global_industry_committee] Nice idea to discuss and follow-up - [Fwd: IMPORTANT Please forward to Georg Hess BEFORE Tuesday]

Georg Heß georg.hess at artofdefence.com
Mon Nov 9 11:37:16 EST 2009


Dear members,

pl find attached an idea that was brought up to me end of last week
after an interview with the podcast journalist.

I am not at all familiar whether there are already tons of initiatives
like this one in the US but it might be a good topic to hook on and
perhaps even discuss it on the Summit on Wednesday.

I feel it is one of these opportunities where OWASP can actually do
something... and which we could use in reaching out to "all industries,
branches, etc... "


I told Ira that although I am certainly much interested in following up
with him I might just be the wrong person in particular for the US region.

What do you think ?

Looking forward to meeting you WED evening... my flights were already
booked before the summit was announced...

Cheers
Georg


-------- Original Message --------
Subject: IMPORTANT Please forward to Georg Hess BEFORE Tuesday
Date: Sat, 7 Nov 2009 22:58:02 -0500
From: Ira Victor <Ira at dataclonelabs.com>
To: Nicole Miscioscia <nicole at marchpr.com>

Hello Georg,
It was good to meet you on the phone this week. Here is the "elevator
pitch" for Report Security Flaws:

Report Security Flaws exists to increase awareness and responsiveness in
Internet vendors and web site operators when they receive
security-related disclosures.

It is our hope that all vendors/operators maintain an email alias that
exists for the sole purpose of receiving disclosure notices from parties
reporting noted security flaws on the vendor/operator's web site. Report
Security Flaws was established as a public service by Russ McRee of
HolisticInfoSec.org and Ira Victor, of The Data Security Podcast.

Further, said email alias should be monitored by individuals with an
understanding of web application security issues and business logic
flaws, while maintaining a close working relationship with the site
developers and operations engineers. This relationship should allow for
the quick escalation of reported issues for mitigation and remediation.

Examples of such email alias might include:
security at domain.com
websecurity at domain.com
webreports at domain.com

Too often vendors and web site operators fail to manage the proper
intake and escalation of reported security flaws, leading to lapses in
web application security for days, weeks, and even months.

We are very interesting in having OWASP incorporate this approach into
its guidelines. It is our desire that this concepts spread to other
organizations and standard setting bodies. We would be happy to provide
more details and meet by phone or online web meeting.

Sincerely,
Ira Victor, GIAC G17799 GCFA GPCI GSEC  ISACA CGEIT
Co-host, Data Security Podcast
30min every week on data security, privacy and the law
 
Audio Stream: http://datasecuritypodcast.com
 
On iTunes: http://itunes.datasecuritypodcast.com


-- 
Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
------------------------------------------------------------------------
Amtsgericht Regensburg HRB 9708
Geschäftsführer:
Dr. Georg Heß, Alexander Meisel
------------------------------------------------------------------------


More information about the Global_industry_committee mailing list