[Owasp-leaders] OWASP Consumer Reports Project

McGovern, James F. (P+C Technology) James.McGovern at thehartford.com
Mon Apr 12 11:41:25 EDT 2010


Consumer reports is not a certification body. Underwriters Laboratory
would be. I am focused on the former and not the later. Think about the
scenario of Consumer Reports saying that Toyota is the best car on the
planet...

________________________________

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Adam Muntner
Sent: Monday, April 12, 2010 11:36 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project


A thought: What happens when a top-rated site (inevitably) gets hacked?


On Mon, Apr 12, 2010 at 7:30 AM, McGovern, James F. (P+C Technology)
<James.McGovern at thehartford.com> wrote:


	Its one thing to have ASVS defined, it is another to find a
channel
	where one company can compare their security posture in this
regard to
	another. In my day job, I would love to have metrics where I
could
	compare the security posture of our consumer-facing web sites to
the
	competition but also have the ability for my retired dad and my
five
	year old to do the same...
	

	-----Original Message-----
	From: owasp-leaders-bounces at lists.owasp.org
	
	[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
Boberski,
	Michael [USA]
	Sent: Monday, April 12, 2010 9:53 AM
	To: owasp-leaders at lists.owasp.org
	Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
	
	Application owners and users (both being "consumers") don't care
about
	low-level stuff like input validation, need to roll that stuff
up, and
	that's what ASVS does. Saying an app meets ASVS level x, and
another app
	meets ASVS level y, is "consumer level" in the sense you're
describing.
	
	Best,
	
	Mike B.
	
	-----Original Message-----
	From: owasp-leaders-bounces at lists.owasp.org
	[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
McGovern,
	James F. (P+C Technology)
	Sent: Monday, April 12, 2010 9:45 AM
	To: mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
	Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
	
	ASVS is NOT "visible" through the lens of a consumer.
	
	-----Original Message-----
	From: owasp-leaders-bounces at lists.owasp.org
	[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike
	Boberski
	Sent: Monday, April 12, 2010 9:38 AM
	To: owasp-leaders at lists.owasp.org
	Subject: Re: [Owasp-leaders] OWASP Consumer Reports Project
	
	This is what asvs is for...
	
	On 4/12/10, McGovern, James F. (P+C Technology)
	<James.McGovern at thehartford.com> wrote:
	> Was noodling a conversation I had awhile back with Tom Brennan
and
	> came up with an idea. If we truly want to make application
security
	> visible, then we should figure out a way to partner with say
Consumer
	> Reports (or at least borrow the Harvey Ball notation) where we
compare
	
	> the security of poular sites to each other. For example,
wouldn't a
	> lot of consumers want to know which brokerage firm is most
secure
	> where we compare TD Ameritrade to Fidelity to E*Trade to
Schwab and so
	on?
	>
	> Likewise, in order to get a quote for auto insurance, you have
to
	> surrender lots of personally-identifiable information ranging
from
	> social security number to drivers license, etc. Wouldn't it be
good if
	
	> Consumers knew which auto insurance carrier was most secure
where we
	> compared The Hartford to Travelers, Progressive, Geico and so
on?
	>
	> The media at large would jump all over this idea and would
provide us
	> with coverage. Likewise, for those being compared and receive
less
	> than favorable ratings, may actually not just have their
developers
	> pay attention to OWASP but also executive row! Of course, we
would
	> need to come up with normalized criteria, but it wouldn't take
too
	> long to put together. Criteria would include things like
knowing they
	> are running the latest patch version of web server software,
dns zone
	> transfer, basic input validation and other things that are
observable
	> as a smart security consumer. At no time, would we scan a site
without
	permission.
	>
	> Thoughts?
	> ************************************************************
	> This communication, including attachments, is for the
exclusive use of
	
	> addressee and may contain proprietary, confidential and/or
privileged
	> information.  If you are not the intended recipient, any use,
copying,
	
	> disclosure, dissemination or distribution is strictly
prohibited.  If
	> you are not the intended recipient, please notify the sender
	> immediately by return e-mail, delete this communication and
destroy
	all copies.
	> ************************************************************
	>
	
	
	--
	Mike
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	************************************************************
	This communication, including attachments, is for the exclusive
use of
	addressee and may contain proprietary, confidential and/or
privileged
	information.  If you are not the intended recipient, any use,
copying,
	disclosure, dissemination or distribution is strictly
prohibited.  If
	you are not the intended recipient, please notify the sender
immediately
	by return e-mail, delete this communication and destroy all
copies.
	************************************************************
	
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	************************************************************
	This communication, including attachments, is for the exclusive
use of addressee and may contain proprietary, confidential and/or
privileged information.  If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly
prohibited.  If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this communication and
destroy all copies.
	************************************************************
	
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	




-- 
Adam Muntner, CISSP
Managing Partner
QuietMove, Inc.
http://www.QuietMove.com

cellular: 1(602) 793-5969
office: 1(866) 894-0459
fax: 1(866) 272-8194

QuietMove: Information Security Experts
Penetration Testing, Website Security
IT Governance, Risk, and Compliance


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100412/fb93e8fb/attachment-0001.html 


More information about the OWASP-Leaders mailing list