[Owasp-leaders] (and Summit's remote participation) Re: OWASP Summit and the Basel Accords

dinis cruz dinis.cruz at owasp.org
Sun Jan 9 08:14:28 EST 2011


Here an example of a lot of good info (and ideas) that is currently
spread across an email thread which should be captured in a working session
and discussed at the Summit.

So, have you decided on which working session this should be debated (with
clear objectives and deliverables) and who is going to lead on it?

Looking at http://www.owasp.org/index.php/Category:Summit_2011_Tracks there
are couple Working Sessions (namely on the Metrics Track) that could be a
good fit. Alternatively we could create a new Working Session (like the
topic I previously suggested 'Mapping 'Web Application Security' to Basel II
Accord' )

James, looking at the Summit Attendee list it looks like you are not able to
make it, but we are starting the planning for the remote participation of
owasp-leaders (and others) who want to be involved, *so I would like to
reach you (and others) the invitation to be remotely involved in some of the
Working Sessions. *

On the topic of *Remote Summit Participation* , the very first steps of it
planning are now at
http://www.owasp.org/index.php/Summit_2011/Remote_Participants and* we will
need all the help we can get* (there are still quite a lot of technological
challenges to be solved, but to see an example of what we could do at this
Summit check out the CoverItLive usage in the 'OWASP Academies 2 day Working
Session' that happened last week in Lisbon :
http://www.owasp.org/index.php/OWASP_Academies#tab=Conclusions_of_the_Meeting
(see
the 'Conclusions of the Meeting' tab)

Dinis Cruz

On 10 December 2010 17:06, James McGovern <JMcGovern at virtusa.com> wrote:

> Solvency and Basel don't talk much to confidentiality, but do talk about
> integrity if you change the semantics a little bit. Can we agree that
> activities that influence financial markets such as the trader in Europe
> several months back who did a "typo" can be classified as lack of input
> validation? Independent of bad input data being used for exploit purposes,
> we are the crowd in the know that best knows how to validate data within
> web-based enterprise applications and that is the point of the conversation.
>
> James McGovern
> Insurance SBU
> Virtusa Corporation
> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
> Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
>
>
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
> Sent: Friday, December 10, 2010 9:22 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] OWASP Summit and the Basel Accords
>
>
> Hi Lucas,
>
> I don't think you'll find direct statements that link app security to the
> Basel II accord, or indeed any of the financial standards (like FSA in UK or
> SOX US [correct me if I'm wrong here] ).   Instead, you'll find vague
> requirements like:
>
> - Failure to maintain audit or review of work papers for at least five
> years is punishable by up to five years in prison, and/or a fine.
> - Corruptly altering, destroying, or concealing records or documents in
> order to compromise the integrity of the record for use in an official
> proceeding is punishable by up to 20 years in prison, and/or an unspecified
> fine amount.
> - etc.
>
> So you'll have to join the dots between the requirement to provide data
> confidentiality and integrity and how that links up with the need to build
> and maintain secure applications.  Not a stretch at all, and I think most
> people in the finance/security world will easily see how insecure apps lead
> to insecure data which leads to non-compliance with Basell II etc.
>
>
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
> and 2010 FinTech 100 among others.
>
>
> ---------------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail and delete this message.
>
>
> ---------------------------------------------------------------------------------------------
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110109/85f8118a/attachment.html 


More information about the OWASP-Leaders mailing list