[Owasp-leaders] R: R: Re: OWASP testing and disclosure levels

Loredana Mancini loredana.mancini at business-e.it
Wed Dec 23 12:20:57 EST 2009


 

 

  _____  

Da: dinis cruz [mailto:dinis.cruz at owasp.org] 
Inviato: mercoledì 23 dicembre 2009 12.34
A: loredana.mancini at business-e.it; owasp-leaders at lists.owasp.org
Oggetto: Re: [Owasp-leaders] R: Re: OWASP testing and disclosure levels

 

I think this is a great idea and one that OWASP is uniquely position to make
it happen.

 

This goes to the heart of what we are trying to do at OWASP since it will
help to improve the visibility of an website's security.

 

But before you continue reading the rest of this post, if you are not aware
of PayPal's guidelines for external security researchers, please go and read
this
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/ge
neral/ReportingSecurityIssues-outside (which is linked from
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/
UsefulLinks-outside)

 

Here is what I like about this schema:

*	(probably the most important) this is NOT dependent on the website's
collaboration or participation (i.e. we can implement this independently)
*	It promotes good behavior and security awareness from the website's
owner
*	it allows OWASP to raise the bar of entire sections of the online
industry, since once we have a number of websites that follow the proposed
guidelines, then their competitors will have 'market pressure' to follow it
*	this is something that the entire OWASP community needs (from member
companies, to individual members, to owasp leaders, to participants at our
conferences or mailing lists). For example, I (as a web user) would like to
know when I use a website about that website's security posture. Another
good example was when OWASP had to chose a couple months ago which
Online-Voting provider we used for our board elections. Since we were paying
for that service, the website's security should had been part of the
decision making process (and it wasn't since we had no visibility into that
website's security)
*	this schema also allows to clarify what is the affected website's
point of view regarding their multiple web applications. Let look at a
couple examples:

*	The Full Disclosure and Fully Open could be used on Sample Apps. For
example the ones published with the Spring Framework (like JPetStore or
PetClinc)
*	the Responsible Disclosure and Open Code Review could be used for
Open Source applications (in fact the different between Open Code Review and
Fully Open could be that for Fully Open the tests can be executed into the
actual live website versus a locally executed copy of the website (which
will be possible when we have access the source code)
*	the Responsible Disclosure and Open Test is what PayPal is doing
*	the Private Disclosure could be used a first step for companies who
want to leverage the good guys security knowledge (for example, a lot of us
'accidentally' discover security vulnerabilities in websites but are not
comfortable in reporting them since we are not sure how the website's owner
would react (in fact in most cases we don't even know who to contact)).
Another source of security issues for this is the XSSed database, or the
google searches for the latest Flash/XSS vulnerability.
*	the No Disclosure is an interesting one since I don't expect that
companies will 'officially' embrace, but one we (OWASP) could apply based on
that companies past behavior (past examples are: MySpace when it sued Sammy,
BT with Daniel, the US Gov departments behind with the Gary McKinnon case,
etc...)
*	Finally given the current 'hacking laws' the OWASP “Trust Us”
Insecurity Program – No testing + no disclosure is what all public websites
should be given by default. This would actually be a great way to visually
show the current (bad) state of affairs
*	For day to day browsing, a Firefox extension that checked the
website's status would be a great way to expose this to a wider audience

I'm sure there is a number of tweaks we will need to do to the
classification names, its definitions and the scenarios they cover. 





So I would say that the next step is for us to try to implement this, mark
it as Beta for a while, and once it is working, officially launch it.





Who wants to be the project leader?





Dinis Cruz









 

2009/12/22 <loredana.mancini at business-e.it>

Hi,

I am really interested in this project/idea, because my feeling is that it
is something needed, but when speking with industries about these topics
lots af doubts arise and it is not easy for them to accept this vision.

Very often technical/expert people have to struggle with management, legal,
administrative/ecc. to show the value of these activities and behaviour
models.

Microsoft as well,  started from far away to reach this point.....

So I would like to be involved in this project, please let me know, bye
Loredana
Sent from my BlackBerry® wireless device


-----Original Message-----
From: "Jeff Williams" <jeff.williams at owasp.org>
Date: Mon, 21 Dec 2009 21:08:53
To: <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] OWASP testing and disclosure levels

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091223/cbca1610/attachment.html 


More information about the OWASP-Leaders mailing list