[Global_industry_committee] Fwd: Mobile Apps Project + Conference

dinis cruz dinis.cruz at owasp.org
Mon Jan 18 09:36:23 EST 2010


OWASP Leaders, GIC and OCC

Here is a request we received from EU's ENISA which I think it is critical
for OWASP that we have an active participation.

I'm not sure what is the best course of action since this could be taken by
multiple parties: an owasp leader, the GIC (Global Industry Committee or
even the OCC (OWASP Connections Committee).

I guess the first thing we need is somebody to take responsibility and come
forward (Colin, can you provide more updates (if there are any?))

Btw, I asked Giles if the information in the email below was confidencial or
if it was public, and we could freely distribute it or blog about it. Giles
responded that it was fine to publish these details anywhere we feel its
relevant, so please send it to whoever you think is relevant (and write blog
posts about it)

Dinis Cruz

---------- Forwarded message ----------
From: Giles Hogben <Giles.Hogben at enisa.europa.eu>

Hi All,

As promised, here is a short description of our Mobile Apps project. Bottom
line: we would like at least *one expert from OWASP with relevant expertise
to contribute 5-10 days to the project from Jan to Sept 2010*. There will be
at least 1 face to face in Europe, for which expenses can be paid by ENISA.
We are still at the planning stage and will have a more detailed scope and
ToR in early Jan.



Please note also the conference we mentioned – the call for papers is here:
http://www.cloudsecurityalliance.org/sc2010.html



Finally, or your information and consideration, I’ve also included a short
description of our ideas for 2011:




  *Mobile applications – risks and dependencies on cloud infrastructure.*

In the past year alone, mobile applications (apps) for Apple’s iphone and
Google's Android platforms have seen a phenomenal growth, with Apple
recently announced the billionth app
download<http://www.apple.com/itunes/billion-app-countdown/>.
The Pew Internet
report<http://www.pewinternet.org/Reports/2008/The-Future-of-the-Internet-III.aspx>predicts
that by 2020, more content will be consumed by mobile devices than
all other platforms - the PC included.



With mobile devices now playing an important role in everything from our
social interactions to traffic flow control, it is important for ENISA to
understand the security implications of this new phenomenon. For
example, a recent
high-profile incident<http://information-security-resources.com/2009/10/26/sidekick-goof-shows-cloud-computing-risks/>in
which millions of customers’ data was irretrievably lost showed the
importance of the dependency of mobile applications on cloud-based
infrastructures supporting them. Furthermore, in November 2009, the first
iPhone virus affecting internet banking <http://bit.ly/69kWj> was detected.



In this project, ENISA will study and report on key risks in mobile “apps”
with a focus on the dependency of thin-client architectures on back-end
cloud systems. The report will recommend possible approaches to reduce risk
in this area.



The exact scope of the report will be based on a survey of existing work in
the area and will be adjusted in order to complement any work already in
progress in particular by the Commission and Member states.


*Possible activities and deliverables for 2011 and beyond*

Note that the following are just brief statements included in order to
illustrate the vision. They will be discussed and if selected elaborated in
the 2011 planning cycle.



*Secure software development: *Working closely in conjunction with existing
secure development initiatives, to collect and aggregate information,
support, foster and promote existing initiatives. The precise strategy will
depend on an initial stock-taking phase to be carried out either in 2010 or
prior to this project in 2011. Examples of areas which may be covered are:

·         Testing methodologies

·         Collection and promotion of best practices and principles of
secure development. Working closely with existing initiatives to support and
enhance their effectiveness.

·         Formal verification processes



*Software liability:* an independent study of the possible effects and
consequences of software liability regulation. The aim of this study would
not be to make a recommendation as to whether or not  software liability
should be implemented, but to provide information and analysis on its
possible implications and modes of implementation.



*Secure supply chain applications:* a study of risks affecting applications
concerned with supply chain delivery.



*Acceptable and unacceptable risks for end-users:* a survey of available
techniques for measuring the true impact and probability of application
threats. There is currently a diverse array of measurement techniques for
measuring the impact of threats, including honeypots to network sensors and
AV data aggregation. None of these however measures the probability and
level of real harm to a given individual. It may be that in the light of
such an approach, certain end-user risks should better be considered
acceptable while others which are currently considered acceptable should be
addressed. For some background on the thinking behind this, please see
http://bit.ly/5CXesN



*High-dependability application security:* a study of risks and best
practices in high dependability environments. This could include affecting
applications concerned with supervision and control (SCADA) applications.







Giles Hogben

Programme Manager, Secure Applications

European Network & Information Security Agency (ENISA)

Tel: +30 2810 391892

Fax: +30 2810 39000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100118/32a53fde/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100118/32a53fde/attachment.bin 


More information about the Global_industry_committee mailing list