[Owasp-leaders] OWASP Consumer Reports Project

Adam Muntner adam.muntner at quietmove.com
Mon Apr 12 11:36:27 EDT 2010


A thought: What happens when a top-rated site (inevitably) gets hacked?

On Mon, Apr 12, 2010 at 7:30 AM, McGovern, James F. (P+C Technology) <
James.McGovern at thehartford.com> wrote:

> Its one thing to have ASVS defined, it is another to find a channel
> where one company can compare their security posture in this regard to
> another. In my day job, I would love to have metrics where I could
> compare the security posture of our consumer-facing web sites to the
> competition but also have the ability for my retired dad and my five
> year old to do the same...
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski,
> Michael [USA]
> Sent: Monday, April 12, 2010 9:53 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
>
> Application owners and users (both being "consumers") don't care about
> low-level stuff like input validation, need to roll that stuff up, and
> that's what ASVS does. Saying an app meets ASVS level x, and another app
> meets ASVS level y, is "consumer level" in the sense you're describing.
>
> Best,
>
> Mike B.
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern,
> James F. (P+C Technology)
> Sent: Monday, April 12, 2010 9:45 AM
> To: mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
>
> ASVS is NOT "visible" through the lens of a consumer.
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike
> Boberski
> Sent: Monday, April 12, 2010 9:38 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
>
> This is what asvs is for...
>
> On 4/12/10, McGovern, James F. (P+C Technology)
> <James.McGovern at thehartford.com> wrote:
> > Was noodling a conversation I had awhile back with Tom Brennan and
> > came up with an idea. If we truly want to make application security
> > visible, then we should figure out a way to partner with say Consumer
> > Reports (or at least borrow the Harvey Ball notation) where we compare
>
> > the security of poular sites to each other. For example, wouldn't a
> > lot of consumers want to know which brokerage firm is most secure
> > where we compare TD Ameritrade to Fidelity to E*Trade to Schwab and so
> on?
> >
> > Likewise, in order to get a quote for auto insurance, you have to
> > surrender lots of personally-identifiable information ranging from
> > social security number to drivers license, etc. Wouldn't it be good if
>
> > Consumers knew which auto insurance carrier was most secure where we
> > compared The Hartford to Travelers, Progressive, Geico and so on?
> >
> > The media at large would jump all over this idea and would provide us
> > with coverage. Likewise, for those being compared and receive less
> > than favorable ratings, may actually not just have their developers
> > pay attention to OWASP but also executive row! Of course, we would
> > need to come up with normalized criteria, but it wouldn't take too
> > long to put together. Criteria would include things like knowing they
> > are running the latest patch version of web server software, dns zone
> > transfer, basic input validation and other things that are observable
> > as a smart security consumer. At no time, would we scan a site without
> permission.
> >
> > Thoughts?
> > ************************************************************
> > This communication, including attachments, is for the exclusive use of
>
> > addressee and may contain proprietary, confidential and/or privileged
> > information.  If you are not the intended recipient, any use, copying,
>
> > disclosure, dissemination or distribution is strictly prohibited.  If
> > you are not the intended recipient, please notify the sender
> > immediately by return e-mail, delete this communication and destroy
> all copies.
> > ************************************************************
> >
>
>
> --
> Mike
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If
> you are not the intended recipient, please notify the sender immediately
> by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Adam Muntner, CISSP
Managing Partner
QuietMove, Inc.
http://www.QuietMove.com

cellular: 1(602) 793-5969
office: 1(866) 894-0459
fax: 1(866) 272-8194

QuietMove: Information Security Experts
Penetration Testing, Website Security
IT Governance, Risk, and Compliance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100412/ca6e87b1/attachment.html 


More information about the OWASP-Leaders mailing list