[Owasp-leaders] FW: Adaptación copyleft de Una Guía para Construir Aplicaciones y Servicios Web Seguros

James McGovern JMcGovern at virtusa.com
Fri Oct 1 10:04:07 EDT 2010

May I provide a challenge to your assertion? Increasingly, businesses will want to move the notion of signing of documents to web sites. As a previous architect for The Hartford, we felt it was important for someone who received an insurance quote to "sign" online instead of attempting to send physical paper in the mail, waiting for it to come back, archiving, following up if it didn't come and so on. The typical components of an e-signature approach contain many of the aspects that SHOULD be of interest to the OWASP community. First and foremost, you need to have a stronger method for validating "identity" beyond just usernames/passwords. This can include a variety of schemes such as knowledge-based authentication, etc. The weaknesses of knowledge-based authentication are 90% overlapping with the weaknesses of bad password reset approaches.

The second half of an e-signature approach is to focus on recording "intent". Did the person intend to do the prescribed action in a non-repudiated way. If a e-signature approach allows for say XSS or CSRF the a user could legally repudiate not only their transaction, but call out the architecture flaw that repudiates every transaction that came before it as well.

The reason the OWASP community may not care is probably more due to the fact that few are asking for this capability, but the technical aspects of the approach are still the same topics we talk about as a community, just with different packaging.

James McGovern
Insurance SBU 
Virtusa Corporation
100 Northfield Drive, Suite 305 | Windsor, CT | 06095
Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Calderon, Juan Carlos (GE, Corporate,consultant)
Sent: Thursday, September 30, 2010 12:29 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders]FW: Adaptación copyleft de Una Guía para Construir Aplicaciones y Servicios Web Seguros

Hi James and List 

I got answer from CERT guys at Spain, they are a government institution, so they have other security guidelines specific to Spain and best practices (like electronic signature usage (DNI)) that want to integrate in one single master document. That is why the want a different version. I makes sense to me since that information will not be on interest of the general community (and if it does we can integrate it as that guide should be GPL as well).

They also plan to update the document to the latest version on WIKI, and for that part I am offering to do a joint effort and put the information on the WIKI itself.

Juan C Calderon

Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.


More information about the OWASP-Leaders mailing list