[Owasp-iso17799] Project Update [Virus checkedAU]

Rich Seiersen rich67dev at hotmail.com
Mon Mar 1 00:41:12 EST 2004


Bruce,
Agreed with your final conclusions, nonetheless, if and when ISO 
registration becomes a reality, we shoudl not only hold true to excellence 
in terms of web app security, but sound in terms of those pursuing ISO 
registration.  Would you not agree.

To that end...I guess I will play the role of ISO town crier - as we have 
more than adequate security chops on board...;-)

There is no requirement for a particular risk assessment - correct?  Section 
10.1 does imply that 'business requirements' must be taken into 
consideration, but again, an auditor cannot force the HOW on me in terms of 
how I came to my conclusions.  As long as I say, the related data for this 
web app is valued at $10mill, we consider that to be pricey, thus we decided 
to imiplement these controls..... Is frankly adequate, it may not be GOOD, 
but if it meets the letter of the standard than we are OK.  The auditor 
cannot say that we did not follow a certain methodology in terms of how we 
got our numbers etc. (well the auditor can try to say what we did is not ISO 
- or that they think our assessement stinks, but they won't win if it is not 
specifically stated within the standard).  So, there would be no slap - 
correct?  If, I say in my included docs that I will do a risk assessment, 
and the assessment will containt certain specific steps, and I don't provide 
proof that those steps occured - then the 'slap'.

If I don't do something that is specifically required by 17799, and don't 
provide a documented and acceptable reason for exclusion (which can occur 
and be valid) - then 'the slap'.  So, to create a template that implies 
something that is not required via the standard must be made explicit.  So, 
if we as a proffessional group state that a risk assessment is required, and 
the assessement should follow certain steps, and we think that 10.1 is a 
fitting place to hang this assessement, then fine.  But, we need to make it 
clear that what we have just done is an interpretation coming from the place 
of standard practices in terms of security.  Again, this goes back to what I 
was reffering to in terms of interpretation.

Lastly, the iso standards are frameworks - correct?   So, I will stick with 
my push for a 'good' and 'valid' example.  Good is a qualitative term, can't 
be forced on someone pursuing regristration, but is recommended for those 
pursuing real security in a reproducible manner.


Best Regards,
Richard Seiersen
rich67dev at hotmail.com





>From: Bruce.Morris at au.ey.com
>To: "Rich Seiersen" <rich67dev at hotmail.com>
>CC: owasp-iso17799 at lists.sourceforge.net,        
>owasp-iso17799-admin at lists.sourceforge.net, samheinrich at hotmail.com
>Subject: RE: [Owasp-iso17799] Project Update  [Virus checkedAU]
>Date: Mon, 1 Mar 2004 15:25:30 +1100
>
>
>
>
>
>
>My $AU0.02 - which is doing remarkably well against the US$ of late (so
>there will probably be a significant slide following these remarks)...
>
>I would suggest that A or THE valid example is not the goal so much as A or
>possibly The Valid Framework to build your own.
>Whilst each decision is specific to a methodology, environment,
>application, organisation, etc, etc, the underlying concern is to determine
>what is appropriate to my webapp.  This means building a framework to solve
>the question - what is of concern to my webapp?
>
>As an internal auditor (as oppose to quality auditor), you may use DES
>because your QualProcs say so, but if you don't have a risk assessment
>which justifies why, then I am going to slap you over the wrist, especially
>if your requirements in the application have nothing to do with
>confidentiality.
>
>How do I apply 17799 to web applications?
>If the question is encryption, then the guidance I need is what do I need
>encryption for, where do I need to apply it, should I be targeting 3DES,
>PKI or homebrew - does it matter?
>If the question is access control, then the guidance I need is what access
>controls do I need, where should I put them, how do I maintain them, does
>it matter?  What business requirements or decisions will likely influence
>these bits?
>With personnel security, what are my options for confidentiality agreements
>and t&c where the user is not someone I engage with except online.  Should
>I be considering digital signatures on CTAs and when is this appropriate?
>What limitations are there with online registration of users that I should
>be aware of?
>
>I believe these questions drive through the process of design, development,
>implement, maintain, etc and are not restricted within the confines of
>ongoing operation.
>
>As you have rightly stated anyone can build a set of ISO procs and abide by
>them for a total value of nought.  This process should be to move beyond
>that, and in the spirit of OWASP (as I have understood so far) move towards
>delivering knowledge which promotes and instills better practice more
>broadly and systemically .
>
>Cheers
>
>
>
>
>                        "Rich Seiersen"
>                        <rich67dev at hotmail.com>                To:      
>samheinrich at hotmail.com, owasp-iso17799 at lists.sourceforge.net
>                        Sent by:                               cc:
>                        owasp-iso17799-admin at lists.sou         Subject: RE: 
>[Owasp-iso17799] Project Update  [Virus checkedAU]
>                        rceforge.net
>
>                        01/03/2004 12:43 PM
>
>
>
>
>
>Team,
>I again hope not to be off topic.  But, the fundamental guiding light in
>all
>things ISO, is the audit.  So, from an auditor's perspective he/she will be
>
>looking for proof of WHAT you say you are doing in relation to the
>standard,
>while the HOW of it can have much variance.  In fact, your HOW may be lame
>-
>but if its consitently lame - then you are ISO.  So, while you may use weak
>
>encryption like DES as opposed to DES3, and you say as much, then you are
>fine.  But, if you use DES in one place, and DES 3 in some other web
>deployment - you are not ISO (unless you say so explicilty in you related
>SOP etc).  This is an example of what ISO is all about.  17799 is just one
>domain of concern within the world of ISO.
>
>If we take an auditors perspective, we will be providing value to people
>who
>are seeking ISO.  Again, the purpose of all things ISO is to make things
>same and equal in practice across international lines and across
>organization iines.  From an international perspective, or company to
>company perspective, ISO forces the same WHATs in terms of security as it
>applies to ISO 17799, while the exact implementation will have variance
>(the
>HOW).  In our case, within a corporation, or an ogranization within a
>corporation, all their web deployments (i.e. design, development,
>deployment, and maintenance) would be same - the HOWS would be the same -
>the  type of encryption would be the same for this example (I do know that
>certain situations might require different encryption and such  - this is
>just an example, for example your WAP would probably use some other
>standard.).
>
>So, what this means for us (IMHO), is to come up with a valid example.
>What
>would be of long term value would be several valid examples or mulitple
>valid templates.  I think we are heading in that direction, a valid example
>
>of ISO 17799, it would not be possible to come up with THE example.
>
>Regards,
>
>
>Richard Seiersen
>rich67dev at hotmail.com
>
>
>
>
>
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: owasp-iso17799 at lists.sourceforge.net
> >Subject: RE: [Owasp-iso17799] Project Update
> >Date: Mon, 01 Mar 2004 00:59:00 +0000
> >
> >>>From what I understood ... that iso 17799 was around information
>security
> >>>management ie operational management
> >
> >Hi Mark - I don't want to try to make a call on that, but from my
> >perspective ISO 17799 is a standard for "information security management"
>-
> >managing information security - but not exclusively operational
>management.
> >  In fact, I would argue that it's just the opposite, that an underlying
> >reason for its emerging importance is that it reinforces breadth and 
>depth
>
> >of infosec management in all aspects of  business, while companies
> >traditionally have focused infosec on IT operations.
> >
> >From a business perspective, if I was looking for a guide to applying ISO
> >17799 to web applications, I would want to know what the standard 
>suggests
>
> >(and why) in relation to my process controls, developer awareness, data
> >classification, requirements gathering, etc. - in addition to the ongoing
> >management of a production site.
> >
> >If I am the only one of this opinion, I don't want to keep pushing on
>this.
> >  I haven't seen any discussion on it until now, though.  We started out
> >doing some information gathering (extracting relevant sections of 17799),
> >then skipped right into the releasing version 1.  We never discussed or
> >determined the business need, audience, objectives, or most effective
> >design for this document.
> >
> >I'd like to see some group discussion on this, but if you'd prefer to set
> >the direction I definitely don't want to be a hindrance to our progress.
> >
> >Thanks - Sam
> >
> >----Original Message Follows----
> >From: Mark Curphey <mark at curphey.com>
> >Reply-To: mark at curphey.com
> >To: sam heinrich <samheinrich at hotmail.com>,
> ><owasp-iso17799 at lists.sourceforge.net>
> >Subject: RE: [Owasp-iso17799] Project Update
> >Date: Sun, 29 Feb 2004 17:57:51 -0500 (EST)
> >
> >Sam
> >
> >Part of the confusion here was my haste in getting that page up in the
> >owasp site. There is some great work right now going on in OWASP Testing
> >that is solely focused in the SDLC. From what I understood (and you guys
> >are the experts here so take this for whats its worth with me) that iso
> >17799 was around information security management ie operational 
>management
> >
> >---- sam heinrich <samheinrich at hotmail.com> wrote:
> > > Hi everyone,
> > >
> > > First, Stan, let me congratulate you on the birth of your daughter!
> >This is
> > > a wonderful thing.
> > >
> > > About the document and how it should be organized, I am attempting to
> >open
> > > up a conversation on an important topic for our group.  Stan, if the
> >current
> > > approach is that you own the document and are making these decisions
> > > unilaterally, I apologize for muddying the waters -  I understood this
> >to be
> > > a community project intended to receive input on how to best produce a
> > > useful product.  Otherwise, I agree that we need to keep the first
> >published
> > > draft simple, but it is worse to release a misguided first version,
> >creating
> > > confusion and damaging the perceived value for our audience, than to
> >take a
> > > checkpoint and make sure we are on track even if it takes a little
> >longer.
> > >
> > > The quote I took on the purpose of the document is directly from the
> >OWASP
> > > website page for this project - "the process of designing, developing
> >and
> > > deploying web applications" - definitely not just managing them once 
>in
> > > operations.  If there is reason to think that objective has changed, 
>we
> > > should validate that and then update the site.
> > >
> > > I strongly feel that the best way for the document to meet the stated
> > > objective is to be organized according to the major areas stated in
>that
> > > objective (e.g. designing, developing, deploying).  I feel this 
>because
>
> >the
> > > need is to understand how 17799 applies to each of these processes, 
>and
>
> >I
> > > believe our target audience are those who are primarily involved with
> >these
> > > processes and not necessarily focused primarily on security.  Such an
> > > audience will be mentally aligning the information to their lifecycle
>or
> >the
> > > processes with which they are concerned.  If the document is 
>structured
>
> >in
> > > parallel to 17799, they will either have to read the whole thing and
> > > mentally restructure it, or guess at which sections are relevant to
>them
> >and
> > > potentially miss important guidance.
> > >
> > > Thoughts?
> > >
> > > Thanks,
> > > Sam
> > >
> > >
> > > ----Original Message Follows----
> > > From: "Stan Guzik" <stanguzik at yahoo.com>
> > > Reply-To: <stanguzik at yahoo.com>
> > > To: "'sam heinrich'"
> > >
> ><samheinrich at hotmail.com>,<scott.ammon at hushmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>
> > > Subject: RE: [Owasp-iso17799] Project Update
> > > Date: Sun, 29 Feb 2004 12:21:57 -0500
> > >
> > > Sorry for not following up sooner but my wife just gave birth to a
> > > healthy baby girl.  We were in the hospital for a couple of days and
>now
> > > the family and friends are coming to visit.  So far its lots of fun!
> > >
> > > Sam, I'll own the document and organize it.  Once we get a first draft
> > > ready I'll give it to you for a final read before we publish it.  When
>I
> > > get a chance I'll add it to SF and put it into DocBook format.
> > >
> > > The document's goal is how to apply the 17799 to the management of web
> > > applications.  OK, what does management of web applications mean?  
>Most
> > > of the sections of the 17799 deal with the operations/maintenance of
>IT.
> > > Therefore our document should be primarily focused on operations of
> > > applications in production not the SDLC.  There are areas that touch 
>on
> > > the SDLC like System Development and Maintenance but it's not the main
> > > focus of the document.
> > >
> > > Let's keep it simple and get a first version of the document out that
> > > gives templates to help implement 17799 for applications that are in
> > > production.  Once the first draft is out we'll get feedback and look 
>at
> > > other directions for the future.
> > >
> > > -----Original Message-----
> > > From: sam heinrich [mailto:samheinrich at hotmail.com]
> > > Sent: Tuesday, February 24, 2004 9:02 AM
> > > To: scott.ammon at hushmail.com; owasp-iso17799 at lists.sourceforge.net;
> > > stanguzik at yahoo.com
> > > Subject: Re: [Owasp-iso17799] Project Update
> > >
> > > hi everyone -
> > >
> > > stan, teaming sounds great to me - i'm actually more efficient at
> > > editing
> > > than i am at organizing a first draft!  scott - nice to meet you.
> > >
> > > speaking of editing, i wanted to bring up something that hasn't come 
>up
> > > in a
> > > while.  our project goal is to produce a guide to "how ISO 17799 can 
>be
> > > applied to the process of designing, developing and deploying web
> > > applications in production."  when i first got involved last year, i
> > > think
> > > there was some agreement that the document will be most effective for
> > > its
> > > purpose if it is structured around the application lifecycle, rather
> > > than
> > > broken up according to the 17799 sections?
> > >
> > > before we actually release the first draft, i'd like to suggest that 
>we
> > > reorganize the information we've gathered along these lines -
>addressing
> > > the
> > > business problem of "how to apply 17799 to the application lifecycle" 
>-
> > > with
> > > cross-references to the relevant ISO sections.  i'd be happy to own it
> > > as a
> > > deliverable - for starters, i could float an outline of what the
> > > document
> > > would look like?
> > >
> > > thanks - sam
> > >
> > >
> > >
> > > ----Original Message Follows----
> > > From: <scott.ammon at hushmail.com>
> > > To: owasp-iso17799 at lists.sourceforge.net, stanguzik at yahoo.com
> > > Subject: Re: [Owasp-iso17799] Project Update
> > > Date: Mon, 23 Feb 2004 07:25:55 -0800
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > no problem teaming up.  I'm hoping to have something written up by 
>mid-
> > > next week.
> > >
> > > /scott
> > >
> > > On Sun, 22 Feb 2004 08:15:42 -0800 Stan Guzik <stanguzik at yahoo.com>
> > > wrote:
> > >   >Hello Everyone,
> > >   >
> > >   >I'm changing my email address from work to personal.  Please use
> > >   >stanguzik at yahoo.com.  My work email address still works but I do
> > >   >my
> > >   >OWASP work from my home computer and it easier to use my personal
> > >   >email.
> > >   >
> > >   >I'd like to welcome our new member Bruce Morris.  Also Scott is
> > >   >interested in working on the Compliance section and has a template
> > >   >to
> > >   >contribute.  Sam and Scott should team up and work on this section
> > >   >together.  Guys what do you think about teaming up?
> > >   >
> > >   >To get our first version of the document out we need to complete
> > >   >Personal Security and Access Control.  To get things moving a 
>little
> > >   >faster, how about Bruce helping with one or more of those sections?
> > >   >Rich, Andrew and Bruce please let me know if it's ok with you.
> > >   >
> > >   >Andrew I'm going to borrow a few sentences from your Intro and from
> > >   >your
> > >   >System Development section and incorporate it into other sections
> > >   >of the
> > >   >document.  Terumi, how is the Organizational security going?
> > >   >
> > >   >We still have a few open sections.  Please let me know if anyone
> > >   >feels
> > >   >up to tackling one of them.  The project plan is attached.
> > >   >
> > >   >Thanks,
> > >   >Stan
> > >   >
> > >   >
> > >   >
> > >   >
> > >   >
> > > -----BEGIN PGP SIGNATURE-----
> > > Note: This signature can be verified at
>https://www.hushtools.com/verify
> > > Version: Hush 2.3
> > >
> > > wkYEARECAAYFAkA6G30ACgkQzhSc4ju+ZEKfygCfe5voP/29YYsNeJfi3815ahH0cWgA
> > > nRlhkP7nNv1a+hJJfmodvGSvQXyH
> > > =BeGN
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> > > Build and deploy apps & Web services for Linux with
> > > a free DVD software kit from IBM. Click Now!
> > > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > Dream of owning a home? Find out how in the First-time Home Buying
> > > Guide.
> > > http://special.msn.com/home/firsthome.armx
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> > > Build and deploy apps & Web services for Linux with
> > > a free DVD software kit from IBM. Click Now!
> > > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > > _________________________________________________________________
> > > Find and compare great deals on Broadband access at the MSN High-Speed
> > > Marketplace. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> > > Build and deploy apps & Web services for Linux with
> > > a free DVD software kit from IBM. Click Now!
> > > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> > > _______________________________________________
> > > Owasp-iso17799 mailing list
> > > Owasp-iso17799 at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> > >
> > >
> >
> >
> >-------------------------------------------------------
> >SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> >Build and deploy apps & Web services for Linux with
> >a free DVD software kit from IBM. Click Now!
> >http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
> >
> >_________________________________________________________________
> >Get a FREE online computer virus scan from McAfee when you click here.
> >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> >
> >-------------------------------------------------------
> >SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> >Build and deploy apps & Web services for Linux with
> >a free DVD software kit from IBM. Click Now!
> >http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> >_______________________________________________
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
>_________________________________________________________________
>Say “good-bye” to spam, viruses and pop-ups with MSN Premium -- free 
>trial
>offer! http://click.atdmt.com/AVE/go/onm00200359ave/direct/01/
>
>
>
>-------------------------------------------------------
>SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>Build and deploy apps & Web services for Linux with
>a free DVD software kit from IBM. Click Now!
>http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
>_______________________________________________
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-iso17799
>
>
>

_________________________________________________________________
Dream of owning a home? Find out how in the First-time Home Buying Guide. 
http://special.msn.com/home/firsthome.armx





More information about the Owasp-iso17799 mailing list