[Owasp-leaders] OWASP testing and disclosure levels

Dan Cornell dan at denimgroup.com
Mon Dec 21 11:00:07 EST 2009

I love it.  Not sure folks would be so interested in advertising their "trust us" insecurity program.  But I suspect there might be a correlation between organizations w/ that policy and open, unresolved XSS vulnerabilities so we can probably get that logo displayed on their pages one way or another.




From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, December 21, 2009 9:55 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] OWASP testing and disclosure levels

I saw some twittering about this sort of thing over the weekend...

The basic idea is that we could create some OWASP standards around the way that companies allow their websites to be tested/scanned/reviewed and how they want to handle disclosure of issues that are discovered.  Companies could choose the standard they want to follow and it would encourage people to make that choice explicit and public (visible).

We could do this pretty easily in the OWASP Legal Project - the way that Creative Commons defined some IP licenses and released them.  I'm just not sure what the current practices are.  Has anyone catalogued a list of companies with either testing or disclosure policies?  See Microsoft policies<http://www.microsoft.com/security/msrc/report/disclosure.aspx>.

Just as an off the top of the head brainstorm, what do you think of these?? Of course we'd have to specify these carefully and fully.

*         Full Disclosure - disclose anything you find

*         Responsible Disclosure - work with us please

*         Private Disclosure - send it to us and pray

*         No Disclosure - we will hunt you down and kill you

*         Fully Open - code review + test all you want

*         Open Code Review - we'll let you review the source and test all you want**

*         Open Test - test  with your account all you want

*         Staged Test-register and we'll let you test on a non-production system

*         No Testing - you are an evil hacker

** Note: I have already drafted an "OWASP Open Code Review" license that grants people the rights they need to do a source code review without giving up ownership or other legal rights.

We could combine these into a few interesting combinations...

*         OWASP Open Security Program - Fully open review + full disclosure

*         OWASP Shared Security Program - Open testing + responsible disclosure

*         OWASP Private Security Program - Staged Testing + private disclosure

*         OWASP "Trust Us" Insecurity Program - No testing + no disclosure

[cid:image001.png at 01CA8224.6002CBF0]

Note that this is NOT a certification program.  This is a way for companies to *declare* their approach to security.  Your thoughts welcome...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091221/d109a07c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 147333 bytes
Desc: image001.png
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091221/d109a07c/attachment-0001.png 

More information about the OWASP-Leaders mailing list