[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Tobias tobias.gondrom at owasp.org
Wed Nov 13 21:28:18 UTC 2013

Hi all,

in recent weeks we heard quite a bit of discussion on security and
pervasive monitoring by some actors in the global arena.
And a number of global organizations commented on the current findings,
- the Internet Society:
- the Montevideo Statement on the Future of Internet Cooperation
**I wonder whether we as OWASP would like to make a public statement
about this as well? *

As a first "strawman", what would you think about the following proposal:
If you want, you can leave your opinion on that here:

  Proposal for OWASP Statement on the Security of the Internet and
  Pervasive Monitoring

The Internet community and OWASP care deeply about how much we can trust
commonly used Internet services and the applications that provide and
use these services. Studying the reports about large-scale monitoring of
Internet traffic and users disturbs us greatly. We knew about the
interception of targeted individuals and other monitoring activities.
However, the scale of recently reported monitoring and potential
undermining of the security of deployed applications is surprising.

Of course, it is hard to know for sure from current reports what attack
techniques may be in use. As such, it is not so easy to comment on the
specifics from an OWASP perspective. Still, OWASP has long standing
general principles that we can talk about, and also address some of the
actions we are taking.

  * We strongly believe trustworthy secure software and applications are
    an important cornerstone for human society and interactions of all
    people around the world.
  * We strongly believe that people, companies and governments must
    protect software security and must not intentionally weaken software
    security, security standards, or undermine the security of
    cryptographic algorithms.
  * We strongly believe that people, companies and governments must not
    intentionally introduce defects or vulnerabilities (or secret
    back-doors) compromising the security, trust and integrity of
    software and applications.

We like to point out, that if vulnerabilities are introduced by people,
governments or corporations to enable monitoring, that this will not
only have adverse effects on freedom and trust within human society, but
sooner or later these vulnerabilities and weaknesses will also be found
and exploited by malicious actors and criminals. Furthermore, the
general population and companies will then be left without protection
against these actors, undermining the very foundations of many software
applications that support our daily lives, and with potentially
world-wide catastrophic consequences.

The OWASP community wants to help build secure and deployable systems
for all Internet users. Addressing security and new vulnerabilities has
been the key strength of the OWASP community for more than a decade.
Technology alone is not the only factor. Operational practices, laws,
and other similar factors also matter. Existing OWASP security
recommendations and tools, if used more widely, can definitely help.
However, technical issues outside the users' or companies' control, for
example endpoint security, or the properties of specific products or
implementations, also affect the end result in major ways. So at the end
of the day, no amount of security helps you if you can not trust the
party you are communicating with or the devices you are using.
Nonetheless, we're confident the OWASP community can do its part. We
continue our mission to improve security in the Internet and do more to
make applications more secure and offer better protection. The recent
revelations provide additional motivation for doing this, as well as
highlight the need to consider new threat models.

We should seize this opportunity to take a look at what we can do
better. Over the coming months the experts from the OWASP and other
communities around the world are exploring possible options to improve
the protection and security of applications for the benefit of users,
companies and governments alike. We are confident that discussions on
this topic will motivate our open community to do even more work on
these and further related topics.

Don't think about all this just in light of the recent revelations. The
security and privacy of the Internet in general is still a major
challenge even ignoring pervasive monitoring and related activities.
Learnings can be drawn from the above that will be generally useful in
many ways for years to come. Perhaps this year's discussions is a way to
motivate the world to move from "by default insecure" to "by default
secure". Publicity and motivation are important, too. There is plenty to
do for all of us, from users enabling additional security features to
companies and governments ensuring that their products, services and
applications are secure. OWASP is an open community and we invite those
interested in working on this topic to contribute to the analysis and
develop ideas in this area together.

If you like *to support this statement or disagree, please provide your
feedback here:* *Click Here to go to the Survey

Cheers, Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131113/ca6de536/attachment.html>

More information about the OWASP-Leaders mailing list