[Owasp-leaders] 2010 Elections

Wong Onn Chee ocwong at usa.net
Fri Dec 5 04:07:52 EST 2008


Hi,

Will like to draw your attention to a seal program for online merchants
we have here in Singapore - TrustSG
More details can be found at
http://www.trustsg.com.sg/for_consumers/index.html

Maybe we can draw some references from them?

Regards
Onn Chee



McGovern, James F (HTSC, IT) wrote:
> Let's undistill why the seal is good and bad.
>  
> 1. The other seals imply that the site is secure based on rudimentary
> scanning.
> 2. The other seals imply that security is up to date by expressing a
> last validation date.
> 3. The other seals are there to imply completeness to those who aren't
> OWASP literate.
>  
> I think I am suggesting something a little different that what others
> have done.
>  
> 1. I am not talking about revenue and the marketing distortions that
> come with making a profit.
> 2. I am not talking about doing things that could take potential
> revenue away from OWASP sponsors
> 3. I am not implying that OWASP security is complete.
>  
> Things that I was noodling:
>  
> 1. Scope would be for individuals running for government (helps with
> PR as they are high traffic)
> 2. This particular demographic doesn't even usually have dedicated IT.
> At best it has web designers so the Aspects, Ounces, etc won't loose
> revenue.
> 3. The badge isn't a certification but an opportunity display the
> OWASP top ten along with why they are important
> 4. The badge would intentionally talk about OWASP being a component.
> Doesn't certify other aspects
> 5. The badge shouldn't imply any form of warranty. It could however
> mean that they used practices such as static analysis and scanning
> along with the last date for this events along with the tools used.
> 6. The badge doesn't need to have continuous monitoring as this is
> more about expectation management. Think more like how the big four
> sign off on the 10K annually. Bad things can happen within the year.
>  
> Anyway, if no one is feeling this, then what can we do to increase PR.
> Thinking out loud is always a good thing.
>
> ------------------------------------------------------------------------
> *From:* kuai hinojosa [mailto:kuai.hinojosa at owasp.org]
> *Sent:* Tuesday, December 02, 2008 1:28 PM
> *To:* Mandeep Khera
> *Cc:* fabio.e.cerullo at aib.ie; McGovern, James F (HTSC, IT);
> OWASP-Leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] 2010 Elections
>
> And don't forget liabilities...
>
> On Dec 2, 2008, at 12:02 PM, Mandeep Khera wrote:
>
>> I have to agree with Fabio here. Giving certifications to Web sites
>> is like a putting a bulls eye on the site for hackers as we have seen
>> with some seals out there including McAfee and others. It requires a
>> lot of work to make sure that the Web sites are secure and even then
>> it's not always hundred percent.
>>  
>>
>> *Mandeep Khera*
>> Chief Marketing Officer
>> Cenzic, Inc.
>> *_www.cenzic.com_* <blocked::http://www.cenzic.com/>* | (866) 423-6942*
>> 455 El Camino Real, Ste. 100
>> Santa Clara, CA 95050
>> *Phone:* (408) 200-0712
>> *Email:  mandeep at cenzic.com <mailto:mandeep at cenzic.com>*
>> *Fax:* (408) 200-0701
>>
>> #1 in Enterprise Web Application Vulnerability Assessment and Risk
>> Management
>> SC Magazine/ Best Buy/
>> http://www.cenzic.com/downloads/pdf/SC_magazine_04-2008.pdf
>> *Gartner Video: Web App Security
>> https://www.cenzic.com/landing/GartnerVideo/*
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* owasp-leaders-bounces at lists.owasp.org
>> <mailto:owasp-leaders-bounces at lists.owasp.org>
>> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of
>> *fabio.e.cerullo at aib.ie <mailto:fabio.e.cerullo at aib.ie>
>> *Sent:* Tuesday, December 02, 2008 1:53 AM
>> *To:* McGovern, James F (HTSC, IT)
>> *Cc:* OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> *Subject:* Re: [Owasp-leaders] 2010 Elections
>>
>>
>> you are suggesting risky waters there... imagine if the website is
>> defaced and the OWASP badge is sitting at the bottom of their site?
>>
>> also, that would mean continuosly monitoring these websites as new
>> vulnerabilities are discovered.
>>
>> Mcafee already run into trouble thanks to their Hacker Safe
>> certificate...
>>
>> http://attrition.org/errata/sec-co/mcafee07.html
>>
>> Fabio Cerullo
>> Information Security
>> Bankcentre D1,
>> Ballsbridge,
>> Dublin 4,
>> Ireland.
>>
>> Tel: +353 1 642 6309
>> Email: fabio.e.cerullo at aib.ie <mailto:fabio.e.cerullo at aib.ie>
>>
>>
>>
>>
>> 	*"McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com
>> <mailto:James.McGovern at thehartford.com>>*
>> Sent by: owasp-leaders-bounces at lists.owasp.org
>> <mailto:owasp-leaders-bounces at lists.owasp.org>
>>
>> 01/12/2008 18:08
>>
>> 	       
>>         To:        <OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>>
>>         cc:        
>>         Subject:        [Owasp-leaders] 2010 Elections
>>
>>
>>
>>
>>
>> I had another half-baked idea for a 2009 project and wanted to get
>> reactions from others. Many folks are aware that Barack Obama raised
>> a lot of money for his Presidential campaign via his website.
>> Likewise, his website was under attack. What would we think if we as
>> members of OWASP helped senators, congressman, etc in a non-partisan
>> way audit their websites at no charge and do so in exchange for an
>> OWASP badge at the bottom of their site.
>>  
>> We all make fun of those websites that display badges indicating
>> 128-bit SSL but need to noodle whether the badging strategy could
>> work for OWASP as a way to spread brand in a controlled manner.
>> Bringing a higher-level badging strategy would be beneficial to the
>> industry. Imagine a badge indicating that they are OWASP Top Ten
>> compliant where upon clicking it, we could explain security to
>> average users...
>> ************************************************************
>> This communication, including attachments, is for the exclusive use
>> of addressee and may contain proprietary, confidential and/or
>> privileged information.  If you are not the intended recipient, any
>> use, copying, disclosure, dissemination or distribution is strictly
>> prohibited.  If you are not the intended recipient, please notify the
>> sender immediately by return e-mail, delete this communication and
>> destroy all copies.
>> ************************************************************
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> ******************************************************
>> This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
>>
>> This email has been scanned by an external email security system.
>>
>> Allied Irish Banks
>>
>> AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173
>>
>> Please consider the environment before printing this e-mail. 
>> ******************************************************
>>     
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>   



More information about the OWASP-Leaders mailing list