[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Dinis Cruz dinis.cruz at owasp.org
Wed Nov 13 23:18:02 UTC 2013


Tobias this is a really good idea/post and I for one really think that
OWASP's community needs to have a voice in this debate (including from the
ones who believe that what is been done by the NSA and others is the right
thing to do)

I specially like this three points that I'm happy to subscribe and promote:

" 1) We strongly believe trustworthy secure software and applications are
an important cornerstone for human society and interactions of all people
around the world.
2) We strongly believe that people, companies and governments must protect
software security and must not intentionally weaken software security,
security standards, or undermine the security of cryptographic algorithms.
3) We strongly believe that people, companies and governments must not
intentionally introduce defects or vulnerabilities (or secret back-doors)
compromising the security, trust and integrity of software and
applications."

Note that this is one of those situations that 'not having an opinion' is
actually 'having an opinion' (which is to support the status quo)
On 13 Nov 2013 21:29, "Tobias" <tobias.gondrom at owasp.org> wrote:

>  Hi all,
>
> in recent weeks we heard quite a bit of discussion on security and
> pervasive monitoring by some actors in the global arena.
> And a number of global organizations commented on the current findings,
> e.g.:
> - the Internet Society:
> http://www.internetsociety.org/doc/global-multi-stakeholder-collaboration-achieving-safe-secure-and-tolerant-cyberspace-enabling
> - the Montevideo Statement on the Future of Internet Cooperation
> http://www.icann.org/en/news/announcements/announcement-07oct13-en.htm
>
> *I wonder whether we as OWASP would like to make a public statement about
> this as well? *
>
> As a first "strawman", what would you think about the following proposal:
>
> (https://www.owasp.org/index.php/Proposal_OWASP_Statement_on_the_Security_of_the_Internet_and_Pervasive_Monitoring)
> <https://www.owasp.org/index.php/Proposal_OWASP_Statement_on_the_Security_of_the_Internet_and_Pervasive_Monitoring>
> If you want, you can leave your opinion on that here:
> https://www.surveymonkey.com/s/WK7TZNT
>
>
>  Proposal for OWASP Statement on the Security of the Internet and
> Pervasive Monitoring
>
> The Internet community and OWASP care deeply about how much we can trust
> commonly used Internet services and the applications that provide and use
> these services. Studying the reports about large-scale monitoring of
> Internet traffic and users disturbs us greatly. We knew about the
> interception of targeted individuals and other monitoring activities.
> However, the scale of recently reported monitoring and potential
> undermining of the security of deployed applications is surprising.
>
>
>  Of course, it is hard to know for sure from current reports what attack
> techniques may be in use. As such, it is not so easy to comment on the
> specifics from an OWASP perspective. Still, OWASP has long standing general
> principles that we can talk about, and also address some of the actions we
> are taking.
>
>    - We strongly believe trustworthy secure software and applications are
>    an important cornerstone for human society and interactions of all people
>    around the world.
>    - We strongly believe that people, companies and governments must
>    protect software security and must not intentionally weaken software
>    security, security standards, or undermine the security of cryptographic
>    algorithms.
>    - We strongly believe that people, companies and governments must not
>    intentionally introduce defects or vulnerabilities (or secret back-doors)
>    compromising the security, trust and integrity of software and
>    applications.
>
>
>  We like to point out, that if vulnerabilities are introduced by people,
> governments or corporations to enable monitoring, that this will not only
> have adverse effects on freedom and trust within human society, but sooner
> or later these vulnerabilities and weaknesses will also be found and
> exploited by malicious actors and criminals. Furthermore, the general
> population and companies will then be left without protection against these
> actors, undermining the very foundations of many software applications that
> support our daily lives, and with potentially world-wide catastrophic
> consequences.
>
>
> The OWASP community wants to help build secure and deployable systems for
> all Internet users. Addressing security and new vulnerabilities has been
> the key strength of the OWASP community for more than a decade. Technology
> alone is not the only factor. Operational practices, laws, and other
> similar factors also matter. Existing OWASP security recommendations and
> tools, if used more widely, can definitely help. However, technical issues
> outside the users' or companies' control, for example endpoint security, or
> the properties of specific products or implementations, also affect the end
> result in major ways. So at the end of the day, no amount of security helps
> you if you can not trust the party you are communicating with or the
> devices you are using. Nonetheless, we’re confident the OWASP community can
> do its part. We continue our mission to improve security in the Internet
> and do more to make applications more secure and offer better protection.
> The recent revelations provide additional motivation for doing this, as
> well as highlight the need to consider new threat models.
>
>
> We should seize this opportunity to take a look at what we can do better.
> Over the coming months the experts from the OWASP and other communities
> around the world are exploring possible options to improve the protection
> and security of applications for the benefit of users, companies and
> governments alike. We are confident that discussions on this topic will
> motivate our open community to do even more work on these and further
> related topics.
>
>
> Don’t think about all this just in light of the recent revelations. The
> security and privacy of the Internet in general is still a major challenge
> even ignoring pervasive monitoring and related activities. Learnings can be
> drawn from the above that will be generally useful in many ways for years
> to come. Perhaps this year’s discussions is a way to motivate the world to
> move from “by default insecure” to “by default secure”. Publicity and
> motivation are important, too. There is plenty to do for all of us, from
> users enabling additional security features to companies and governments
> ensuring that their products, services and applications are secure. OWASP
> is an open community and we invite those interested in working on this
> topic to contribute to the analysis and develop ideas in this area
> together.
>
>
>
> If you like *to support this statement or disagree, please provide your
> feedback here:* *Click Here to go to the Survey
> <https://www.surveymonkey.com/s/WK7TZNT>*
>
>
> Cheers, Tobias
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131113/642bc2c7/attachment.html>


More information about the OWASP-Leaders mailing list