[Owasp-leaders] OWASP Consumer Reports Project

McGovern, James F. (P+C Technology) James.McGovern at thehartford.com
Mon Apr 12 09:16:49 EDT 2010


Was noodling a conversation I had awhile back with Tom Brennan and came
up with an idea. If we truly want to make application security visible,
then we should figure out a way to partner with say Consumer Reports (or
at least borrow the Harvey Ball notation) where we compare the security
of poular sites to each other. For example, wouldn't a lot of consumers
want to know which brokerage firm is most secure where we compare TD
Ameritrade to Fidelity to E*Trade to Schwab and so on?

Likewise, in order to get a quote for auto insurance, you have to
surrender lots of personally-identifiable information ranging from
social security number to drivers license, etc. Wouldn't it be good if
Consumers knew which auto insurance carrier was most secure where we
compared The Hartford to Travelers, Progressive, Geico and so on?

The media at large would jump all over this idea and would provide us
with coverage. Likewise, for those being compared and receive less than
favorable ratings, may actually not just have their developers pay
attention to OWASP but also executive row! Of course, we would need to
come up with normalized criteria, but it wouldn't take too long to put
together. Criteria would include things like knowing they are running
the latest patch version of web server software, dns zone transfer,
basic input validation and other things that are observable as a smart
security consumer. At no time, would we scan a site without permission.

Thoughts?
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100412/65bc2e7c/attachment.html 


More information about the OWASP-Leaders mailing list