[Owasp-leaders] OWASP Consumer Reports Project

Mike Boberski mike.boberski at gmail.com
Mon Apr 12 09:38:07 EDT 2010


This is what asvs is for...

On 4/12/10, McGovern, James F. (P+C Technology)
<James.McGovern at thehartford.com> wrote:
> Was noodling a conversation I had awhile back with Tom Brennan and came
> up with an idea. If we truly want to make application security visible,
> then we should figure out a way to partner with say Consumer Reports (or
> at least borrow the Harvey Ball notation) where we compare the security
> of poular sites to each other. For example, wouldn't a lot of consumers
> want to know which brokerage firm is most secure where we compare TD
> Ameritrade to Fidelity to E*Trade to Schwab and so on?
>
> Likewise, in order to get a quote for auto insurance, you have to
> surrender lots of personally-identifiable information ranging from
> social security number to drivers license, etc. Wouldn't it be good if
> Consumers knew which auto insurance carrier was most secure where we
> compared The Hartford to Travelers, Progressive, Geico and so on?
>
> The media at large would jump all over this idea and would provide us
> with coverage. Likewise, for those being compared and receive less than
> favorable ratings, may actually not just have their developers pay
> attention to OWASP but also executive row! Of course, we would need to
> come up with normalized criteria, but it wouldn't take too long to put
> together. Criteria would include things like knowing they are running
> the latest patch version of web server software, dns zone transfer,
> basic input validation and other things that are observable as a smart
> security consumer. At no time, would we scan a site without permission.
>
> Thoughts?
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
>


-- 
Mike


More information about the OWASP-Leaders mailing list