[Owasp-leaders] 2010 Elections

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Thu Dec 4 10:01:57 EST 2008


Let's undistill why the seal is good and bad.
 
1. The other seals imply that the site is secure based on rudimentary
scanning.
2. The other seals imply that security is up to date by expressing a
last validation date.
3. The other seals are there to imply completeness to those who aren't
OWASP literate.
 
I think I am suggesting something a little different that what others
have done.
 
1. I am not talking about revenue and the marketing distortions that
come with making a profit.
2. I am not talking about doing things that could take potential revenue
away from OWASP sponsors
3. I am not implying that OWASP security is complete.
 
Things that I was noodling:
 
1. Scope would be for individuals running for government (helps with PR
as they are high traffic)
2. This particular demographic doesn't even usually have dedicated IT.
At best it has web designers so the Aspects, Ounces, etc won't loose
revenue.
3. The badge isn't a certification but an opportunity display the OWASP
top ten along with why they are important
4. The badge would intentionally talk about OWASP being a component.
Doesn't certify other aspects
5. The badge shouldn't imply any form of warranty. It could however mean
that they used practices such as static analysis and scanning along with
the last date for this events along with the tools used.
6. The badge doesn't need to have continuous monitoring as this is more
about expectation management. Think more like how the big four sign off
on the 10K annually. Bad things can happen within the year.
 
Anyway, if no one is feeling this, then what can we do to increase PR.
Thinking out loud is always a good thing.

________________________________

From: kuai hinojosa [mailto:kuai.hinojosa at owasp.org] 
Sent: Tuesday, December 02, 2008 1:28 PM
To: Mandeep Khera
Cc: fabio.e.cerullo at aib.ie; McGovern, James F (HTSC, IT);
OWASP-Leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] 2010 Elections


And don't forget liabilities... 

On Dec 2, 2008, at 12:02 PM, Mandeep Khera wrote:


	I have to agree with Fabio here. Giving certifications to Web
sites is like a putting a bulls eye on the site for hackers as we have
seen with some seals out there including McAfee and others. It requires
a lot of work to make sure that the Web sites are secure and even then
it's not always hundred percent. 
	 
	Mandeep Khera
	Chief Marketing Officer
	Cenzic, Inc.
	www.cenzic.com <blocked::http://www.cenzic.com/>  | (866)
423-6942
	455 El Camino Real, Ste. 100
	Santa Clara, CA 95050
	Phone: (408) 200-0712
	Email:  mandeep at cenzic.com
	Fax: (408) 200-0701
	
	#1 in Enterprise Web Application Vulnerability Assessment and
Risk Management 
	SC Magazine Best Buy
http://www.cenzic.com/downloads/pdf/SC_magazine_04-2008.pdf 
	Gartner Video: Web App Security
	https://www.cenzic.com/landing/GartnerVideo/ 




________________________________

	From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
fabio.e.cerullo at aib.ie
	Sent: Tuesday, December 02, 2008 1:53 AM
	To: McGovern, James F (HTSC, IT)
	Cc: OWASP-Leaders at lists.owasp.org
	Subject: Re: [Owasp-leaders] 2010 Elections
	
	

	you are suggesting risky waters there... imagine if the website
is defaced and the OWASP badge is sitting at the bottom of their site? 
	
	also, that would mean continuosly monitoring these websites as
new vulnerabilities are discovered. 
	
	Mcafee already run into trouble thanks to their Hacker Safe
certificate... 
	
	http://attrition.org/errata/sec-co/mcafee07.html 
	
	Fabio Cerullo
	Information Security 
	Bankcentre D1, 
	Ballsbridge,
	Dublin 4,
	Ireland.
	
	Tel: +353 1 642 6309
	Email: fabio.e.cerullo at aib.ie
	
	
	
	
	"McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com> 
Sent by: owasp-leaders-bounces at lists.owasp.org 

01/12/2008 18:08 

        
        To:        <OWASP-Leaders at lists.owasp.org> 
        cc:         
        Subject:        [Owasp-leaders] 2010 Elections 
	




	I had another half-baked idea for a 2009 project and wanted to
get reactions from others. Many folks are aware that Barack Obama raised
a lot of money for his Presidential campaign via his website. Likewise,
his website was under attack. What would we think if we as members of
OWASP helped senators, congressman, etc in a non-partisan way audit
their websites at no charge and do so in exchange for an OWASP badge at
the bottom of their site. 
	  
	We all make fun of those websites that display badges indicating
128-bit SSL but need to noodle whether the badging strategy could work
for OWASP as a way to spread brand in a controlled manner. Bringing a
higher-level badging strategy would be beneficial to the industry.
Imagine a badge indicating that they are OWASP Top Ten compliant where
upon clicking it, we could explain security to average users... 
	************************************************************
	This communication, including attachments, is for the exclusive
use of addressee and may contain proprietary, confidential and/or
privileged information.  If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly
prohibited.  If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this communication and
destroy all copies.
	************************************************************
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	
	
	******************************************************
	This document is strictly confidential and is intended for use
by the addressee unless otherwise indicated.
	
	This email has been scanned by an external email security
system.
	
	Allied Irish Banks
	
	AIB and AIB Group are registered business names of Allied Irish
Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial
Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: +
353 1 6600311; Registered in Ireland: Registered No. 24173
	
	Please consider the environment before printing this e-mail. 
	******************************************************
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081204/717ec82f/attachment-0001.html 


More information about the OWASP-Leaders mailing list