[Owasp-leaders] 2010 Elections

Erlend Oftedal Erlend.Oftedal at BEKK.no
Thu Dec 4 02:44:34 EST 2008


I have to agree with the others. Validating that a site is "OWASP Top 10 compliant" requires quite an effort, because to understand the lack of say URL access restrictions (A10), you will have to know a lot about the web application. And since most web apps are changed on a regular basis, keeping the "compliance" would require that the app was assessed for each new release. Introducing a new XSS bug (A1), is something developers will easily do, if they don't think about what they are doing.


Erlend
OWASP Norway

Fra: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] På vegne av Puneet Mehta
Sendt: 3. desember 2008 16:03
Til: kuai hinojosa
Kopi: OWASP-Leaders at lists.owasp.org
Emne: Re: [Owasp-leaders] 2010 Elections

and the reputation loss if it gets defaced...
On Tue, Dec 2, 2008 at 11:57 PM, kuai hinojosa <kuai.hinojosa at owasp.org<mailto:kuai.hinojosa at owasp.org>> wrote:
And don't forget liabilities...

On Dec 2, 2008, at 12:02 PM, Mandeep Khera wrote:


I have to agree with Fabio here. Giving certifications to Web sites is like a putting a bulls eye on the site for hackers as we have seen with some seals out there including McAfee and others. It requires a lot of work to make sure that the Web sites are secure and even then it's not always hundred percent.


Mandeep Khera
Chief Marketing Officer
Cenzic, Inc.
www.cenzic.com | (866) 423-6942
455 El Camino Real, Ste. 100
Santa Clara, CA 95050
Phone: (408) 200-0712
Email:  mandeep at cenzic.com<mailto:mandeep at cenzic.com>
Fax: (408) 200-0701

#1 in Enterprise Web Application Vulnerability Assessment and Risk Management
SC Magazine Best Buy http://www.cenzic.com/downloads/pdf/SC_magazine_04-2008.pdf
Gartner Video: Web App Security
https://www.cenzic.com/landing/GartnerVideo/


________________________________
From: owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of fabio.e.cerullo at aib.ie<mailto:fabio.e.cerullo at aib.ie>
Sent: Tuesday, December 02, 2008 1:53 AM
To: McGovern, James F (HTSC, IT)
Cc: OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] 2010 Elections

you are suggesting risky waters there... imagine if the website is defaced and the OWASP badge is sitting at the bottom of their site?

also, that would mean continuosly monitoring these websites as new vulnerabilities are discovered.

Mcafee already run into trouble thanks to their Hacker Safe certificate...

http://attrition.org/errata/sec-co/mcafee07.html

Fabio Cerullo
Information Security
Bankcentre D1,
Ballsbridge,
Dublin 4,
Ireland.

Tel: +353 1 642 6309
Email: fabio.e.cerullo at aib.ie<mailto:fabio.e.cerullo at aib.ie>



"McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com<mailto:James.McGovern at thehartford.com>>
Sent by: owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org>

01/12/2008 18:08


        To:        <OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>>
        cc:
        Subject:        [Owasp-leaders] 2010 Elections





I had another half-baked idea for a 2009 project and wanted to get reactions from others. Many folks are aware that Barack Obama raised a lot of money for his Presidential campaign via his website. Likewise, his website was under attack. What would we think if we as members of OWASP helped senators, congressman, etc in a non-partisan way audit their websites at no charge and do so in exchange for an OWASP badge at the bottom of their site.

We all make fun of those websites that display badges indicating 128-bit SSL but need to noodle whether the badging strategy could work for OWASP as a way to spread brand in a controlled manner. Bringing a higher-level badging strategy would be beneficial to the industry. Imagine a badge indicating that they are OWASP Top Ten compliant where upon clicking it, we could explain security to average users...
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

******************************************************

This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.



This email has been scanned by an external email security system.



Allied Irish Banks



AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173



Please consider the environment before printing this e-mail.

******************************************************
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders



--
Puneet Mehta CISSP CISA CEH CPTS BS7799 LA
OWASP Delhi Board
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081204/93301565/attachment.html 


More information about the OWASP-Leaders mailing list