[Owasp-leaders] Should OWASP make a statement on the Security of the Internet and Pervasive Monitoring?

Dennis Groves dennis.groves at owasp.org
Wed Nov 13 23:48:26 UTC 2013

I totally support this Tobias, let me know what I can do!

I apologies for being so late to respond to you email. We are busy 
running around to all the print shops in Phoenix getting all of the 
OWASP documentation projects printed for the Summit. The books are so 
beautiful, I am really excited by all the great work going on at OWASP!

Keep up the great work Tobias!



On 13 Nov 2013, at 14:28, Tobias wrote:

> Hi all,
> in recent weeks we heard quite a bit of discussion on security and
> pervasive monitoring by some actors in the global arena.
> And a number of global organizations commented on the current 
> findings,
> e.g.:
> - the Internet Society:
> http://www.internetsociety.org/doc/global-multi-stakeholder-collaboration-achieving-safe-secure-and-tolerant-cyberspace-enabling
> - the Montevideo Statement on the Future of Internet Cooperation
> http://www.icann.org/en/news/announcements/announcement-07oct13-en.htm
> *
> **I wonder whether we as OWASP would like to make a public statement
> about this as well? *
> As a first "strawman", what would you think about the following 
> proposal:
> (https://www.owasp.org/index.php/Proposal_OWASP_Statement_on_the_Security_of_the_Internet_and_Pervasive_Monitoring)
> <https://www.owasp.org/index.php/Proposal_OWASP_Statement_on_the_Security_of_the_Internet_and_Pervasive_Monitoring>
> If you want, you can leave your opinion on that here:
> https://www.surveymonkey.com/s/WK7TZNT
> Proposal for OWASP Statement on the Security of the Internet and
> Pervasive Monitoring
> The Internet community and OWASP care deeply about how much we can 
> trust
> commonly used Internet services and the applications that provide and
> use these services. Studying the reports about large-scale monitoring 
> of
> Internet traffic and users disturbs us greatly. We knew about the
> interception of targeted individuals and other monitoring activities.
> However, the scale of recently reported monitoring and potential
> undermining of the security of deployed applications is surprising.
> Of course, it is hard to know for sure from current reports what 
> attack
> techniques may be in use. As such, it is not so easy to comment on the
> specifics from an OWASP perspective. Still, OWASP has long standing
> general principles that we can talk about, and also address some of 
> the
> actions we are taking.
> * We strongly believe trustworthy secure software and applications are
>  an important cornerstone for human society and interactions of all
>  people around the world.
> * We strongly believe that people, companies and governments must
>  protect software security and must not intentionally weaken software
>  security, security standards, or undermine the security of
>  cryptographic algorithms.
> * We strongly believe that people, companies and governments must not
>  intentionally introduce defects or vulnerabilities (or secret
>  back-doors) compromising the security, trust and integrity of
>  software and applications.
> We like to point out, that if vulnerabilities are introduced by 
> people,
> governments or corporations to enable monitoring, that this will not
> only have adverse effects on freedom and trust within human society, 
> but
> sooner or later these vulnerabilities and weaknesses will also be 
> found
> and exploited by malicious actors and criminals. Furthermore, the
> general population and companies will then be left without protection
> against these actors, undermining the very foundations of many 
> software
> applications that support our daily lives, and with potentially
> world-wide catastrophic consequences.
> The OWASP community wants to help build secure and deployable systems
> for all Internet users. Addressing security and new vulnerabilities 
> has
> been the key strength of the OWASP community for more than a decade.
> Technology alone is not the only factor. Operational practices, laws,
> and other similar factors also matter. Existing OWASP security
> recommendations and tools, if used more widely, can definitely help.
> However, technical issues outside the users' or companies' control, 
> for
> example endpoint security, or the properties of specific products or
> implementations, also affect the end result in major ways. So at the 
> end
> of the day, no amount of security helps you if you can not trust the
> party you are communicating with or the devices you are using.
> Nonetheless, we're confident the OWASP community can do its part. We
> continue our mission to improve security in the Internet and do more 
> to
> make applications more secure and offer better protection. The recent
> revelations provide additional motivation for doing this, as well as
> highlight the need to consider new threat models.
> We should seize this opportunity to take a look at what we can do
> better. Over the coming months the experts from the OWASP and other
> communities around the world are exploring possible options to improve
> the protection and security of applications for the benefit of users,
> companies and governments alike. We are confident that discussions on
> this topic will motivate our open community to do even more work on
> these and further related topics.
> Don't think about all this just in light of the recent revelations. 
> The
> security and privacy of the Internet in general is still a major
> challenge even ignoring pervasive monitoring and related activities.
> Learnings can be drawn from the above that will be generally useful in
> many ways for years to come. Perhaps this year's discussions is a way 
> to
> motivate the world to move from "by default insecure" to "by default
> secure". Publicity and motivation are important, too. There is plenty 
> to
> do for all of us, from users enabling additional security features to
> companies and governments ensuring that their products, services and
> applications are secure. OWASP is an open community and we invite 
> those
> interested in working on this topic to contribute to the analysis and
> develop ideas in this area together.
> If you like *to support this statement or disagree, please provide 
> your
> feedback here:* *Click Here to go to the Survey
> <https://www.surveymonkey.com/s/WK7TZNT>*
> Cheers, Tobias
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131113/5a3bfb64/attachment.html>

More information about the OWASP-Leaders mailing list