[Owasp-leaders] OWASP Consumer Reports Project

McGovern, James F. (P+C Technology) James.McGovern at thehartford.com
Mon Apr 12 10:30:29 EDT 2010


Its one thing to have ASVS defined, it is another to find a channel
where one company can compare their security posture in this regard to
another. In my day job, I would love to have metrics where I could
compare the security posture of our consumer-facing web sites to the
competition but also have the ability for my retired dad and my five
year old to do the same... 

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Monday, April 12, 2010 9:53 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project

Application owners and users (both being "consumers") don't care about
low-level stuff like input validation, need to roll that stuff up, and
that's what ASVS does. Saying an app meets ASVS level x, and another app
meets ASVS level y, is "consumer level" in the sense you're describing.

Best,

Mike B.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern,
James F. (P+C Technology)
Sent: Monday, April 12, 2010 9:45 AM
To: mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project

ASVS is NOT "visible" through the lens of a consumer.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike
Boberski
Sent: Monday, April 12, 2010 9:38 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project

This is what asvs is for...

On 4/12/10, McGovern, James F. (P+C Technology)
<James.McGovern at thehartford.com> wrote:
> Was noodling a conversation I had awhile back with Tom Brennan and 
> came up with an idea. If we truly want to make application security 
> visible, then we should figure out a way to partner with say Consumer 
> Reports (or at least borrow the Harvey Ball notation) where we compare

> the security of poular sites to each other. For example, wouldn't a 
> lot of consumers want to know which brokerage firm is most secure 
> where we compare TD Ameritrade to Fidelity to E*Trade to Schwab and so
on?
>
> Likewise, in order to get a quote for auto insurance, you have to 
> surrender lots of personally-identifiable information ranging from 
> social security number to drivers license, etc. Wouldn't it be good if

> Consumers knew which auto insurance carrier was most secure where we 
> compared The Hartford to Travelers, Progressive, Geico and so on?
>
> The media at large would jump all over this idea and would provide us 
> with coverage. Likewise, for those being compared and receive less 
> than favorable ratings, may actually not just have their developers 
> pay attention to OWASP but also executive row! Of course, we would 
> need to come up with normalized criteria, but it wouldn't take too 
> long to put together. Criteria would include things like knowing they 
> are running the latest patch version of web server software, dns zone 
> transfer, basic input validation and other things that are observable 
> as a smart security consumer. At no time, would we scan a site without
permission.
>
> Thoughts?
> ************************************************************
> This communication, including attachments, is for the exclusive use of

> addressee and may contain proprietary, confidential and/or privileged 
> information.  If you are not the intended recipient, any use, copying,

> disclosure, dissemination or distribution is strictly prohibited.  If 
> you are not the intended recipient, please notify the sender 
> immediately by return e-mail, delete this communication and destroy
all copies.
> ************************************************************
>


--
Mike
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************



More information about the OWASP-Leaders mailing list