[Owasp-leaders] R: R: Re: OWASP testing and disclosure levels

Loredana Mancini loredana.mancini at business-e.it
Wed Dec 23 12:20:57 EST 2009




Da: dinis cruz [mailto:dinis.cruz at owasp.org] 
Inviato: mercoledì 23 dicembre 2009 12.34
A: loredana.mancini at business-e.it; owasp-leaders at lists.owasp.org
Oggetto: Re: [Owasp-leaders] R: Re: OWASP testing and disclosure levels


I think this is a great idea and one that OWASP is uniquely position to make
it happen.


This goes to the heart of what we are trying to do at OWASP since it will
help to improve the visibility of an website's security.


But before you continue reading the rest of this post, if you are not aware
of PayPal's guidelines for external security researchers, please go and read
neral/ReportingSecurityIssues-outside (which is linked from


Here is what I like about this schema:

*	(probably the most important) this is NOT dependent on the website's
collaboration or participation (i.e. we can implement this independently)
*	It promotes good behavior and security awareness from the website's
*	it allows OWASP to raise the bar of entire sections of the online
industry, since once we have a number of websites that follow the proposed
guidelines, then their competitors will have 'market pressure' to follow it
*	this is something that the entire OWASP community needs (from member
companies, to individual members, to owasp leaders, to participants at our
conferences or mailing lists). For example, I (as a web user) would like to
know when I use a website about that website's security posture. Another
good example was when OWASP had to chose a couple months ago which
Online-Voting provider we used for our board elections. Since we were paying
for that service, the website's security should had been part of the
decision making process (and it wasn't since we had no visibility into that
website's security)
*	this schema also allows to clarify what is the affected website's
point of view regarding their multiple web applications. Let look at a
couple examples:

*	The Full Disclosure and Fully Open could be used on Sample Apps. For
example the ones published with the Spring Framework (like JPetStore or
*	the Responsible Disclosure and Open Code Review could be used for
Open Source applications (in fact the different between Open Code Review and
Fully Open could be that for Fully Open the tests can be executed into the
actual live website versus a locally executed copy of the website (which
will be possible when we have access the source code)
*	the Responsible Disclosure and Open Test is what PayPal is doing
*	the Private Disclosure could be used a first step for companies who
want to leverage the good guys security knowledge (for example, a lot of us
'accidentally' discover security vulnerabilities in websites but are not
comfortable in reporting them since we are not sure how the website's owner
would react (in fact in most cases we don't even know who to contact)).
Another source of security issues for this is the XSSed database, or the
google searches for the latest Flash/XSS vulnerability.
*	the No Disclosure is an interesting one since I don't expect that
companies will 'officially' embrace, but one we (OWASP) could apply based on
that companies past behavior (past examples are: MySpace when it sued Sammy,
BT with Daniel, the US Gov departments behind with the Gary McKinnon case,
*	Finally given the current 'hacking laws' the OWASP “Trust Us”
Insecurity Program – No testing + no disclosure is what all public websites
should be given by default. This would actually be a great way to visually
show the current (bad) state of affairs
*	For day to day browsing, a Firefox extension that checked the
website's status would be a great way to expose this to a wider audience

I'm sure there is a number of tweaks we will need to do to the
classification names, its definitions and the scenarios they cover. 

So I would say that the next step is for us to try to implement this, mark
it as Beta for a while, and once it is working, officially launch it.

Who wants to be the project leader?

Dinis Cruz


2009/12/22 <loredana.mancini at business-e.it>


I am really interested in this project/idea, because my feeling is that it
is something needed, but when speking with industries about these topics
lots af doubts arise and it is not easy for them to accept this vision.

Very often technical/expert people have to struggle with management, legal,
administrative/ecc. to show the value of these activities and behaviour

Microsoft as well,  started from far away to reach this point.....

So I would like to be involved in this project, please let me know, bye
Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Jeff Williams" <jeff.williams at owasp.org>
Date: Mon, 21 Dec 2009 21:08:53
To: <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] OWASP testing and disclosure levels

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091223/cbca1610/attachment.html 

More information about the OWASP-Leaders mailing list