[Owasp-leaders] OWASP testing and disclosure levels

Jeff Williams jeff.williams at owasp.org
Mon Dec 21 21:08:53 EST 2009

Actually, Microsoft is one of the companies that is leading the way here.
They are actively engaging the security research community and benefiting


But the biggest benefit is to consumers. This provides some visibility into
how serious a company is about secure code.  These policies are something I
want to know.


And the companies don't have to do anything - they don't have to "sign up."
A third party might evaluate a company's policies and conclude that they are
a "Trust Us" type of security program.


I don't want to start a debate about the merits of full/responsible/private
disclosure (or open testing either).  I want to make it visible and let the
market decide.  That's what this project is about.


Anyone interested in leading a project to put some standards around how
companies should engage with the security research community for code
access, testing, and disclosure?





From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mandeep Khera
Sent: Monday, December 21, 2009 4:37 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP testing and disclosure levels




It's an interesting idea. The question I have is what's in it for the
companies? In other words, if they sign up for full disclosure, how does
that help them? Most of the commercial software vendors like Microsoft,
Oracle, and others want privately disclosed so they have time to fix it.
Analysts like Gartner also talk about Responsible Vulnerability Disclosure
policies. And, does it mean that any one can scan their Web sites using
injection attacks to find vulnerabilities? There are all kinds of issues
associated with that. 




Mandeep Khera




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, December 21, 2009 7:55 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] OWASP testing and disclosure levels


I saw some twittering about this sort of thing over the weekend.


The basic idea is that we could create some OWASP standards around the way
that companies allow their websites to be tested/scanned/reviewed and how
they want to handle disclosure of issues that are discovered.  Companies
could choose the standard they want to follow and it would encourage people
to make that choice explicit and public (visible).


We could do this pretty easily in the OWASP Legal Project - the way that
Creative Commons defined some IP licenses and released them.  I'm just not
sure what the current practices are.  Has anyone catalogued a list of
companies with either testing or disclosure policies?  See Microsoft
<http://www.microsoft.com/security/msrc/report/disclosure.aspx>  policies.


Just as an off the top of the head brainstorm, what do you think of these??
Of course we'd have to specify these carefully and fully.


.        Full Disclosure - disclose anything you find

.        Responsible Disclosure - work with us please

.        Private Disclosure - send it to us and pray

.        No Disclosure - we will hunt you down and kill you


.        Fully Open - code review + test all you want

.        Open Code Review - we'll let you review the source and test all you

.        Open Test - test  with your account all you want

.        Staged Test-register and we'll let you test on a non-production

.        No Testing - you are an evil hacker


** Note: I have already drafted an "OWASP Open Code Review" license that
grants people the rights they need to do a source code review without giving
up ownership or other legal rights.


We could combine these into a few interesting combinations.


.        OWASP Open Security Program - Fully open review + full disclosure

.        OWASP Shared Security Program - Open testing + responsible

.        OWASP Private Security Program - Staged Testing + private

.        OWASP "Trust Us" Insecurity Program - No testing + no disclosure




Note that this is NOT a certification program.  This is a way for companies
to *declare* their approach to security.  Your thoughts welcome.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091221/96146101/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 31687 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091221/96146101/attachment-0001.gif 

More information about the OWASP-Leaders mailing list