[Owasp-leaders] I want to boost this project (OWASP Security Labeling System Project)

johanna curiel curiel johanna.curiel at owasp.org
Sat Aug 23 20:46:54 UTC 2014


Hi Luis,

While I like the concept, there are some things I do not understand and I
would like to clarify.

-The project seems to imply assigning a label to "web applications and
software(in general)." Does that mean that if a project has a label, are
your implying that is "Secure"..."This label is* for Software developed
with a secure life cycle*,* following recommended security coding
practices*(OWASP
TOP TEN, OWASP security principles...) and recommended security tools(Zed
Attack Proxy, Dependency check...)" ?

-How is the process of assigning a label? How do you judge that a "web app
or software" can actually receive one? That means you need to review these
web apps in order to determine that they were developed using a secure life
cycle for example.Who will be the reviewers of these webapps?

For some reason I assume  that OWASP (as a brand) provides some sort of
review to these "web apps and software". I honestly find this dangerous for
OWASP reputation. Even when we can set all sort of disclaimer that we
cannot "guarantee" that the labeling means the app is actually secure, if a
breach happened with that app, OWASP will be associated with that security
breach.

Regards

Johanna




On Sat, Aug 23, 2014 at 4:10 PM, Luis Enriquez <luis.enriquez at owasp.org>
wrote:

> Dear Community,
>
> I have been working on the worked on the OWASP Labeling system Project
> for the last 5 months. It is a different kind of project as there are some
> legal issues involved such as security and privacy clauses. I need some
> feedback of the "old and well known" OWASP members in other to confirm if
> this is the right orientation.
>
> As there is no OWASP Project manager at the moment, and the community is
> changing the board members, I just don't know who to contact.
>
> I still believe it is a good project, and OWASP the right community for
> developing such idea.
>
> https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
>
> best,
>
> --
> Luis Enriquez
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140823/c6a4107d/attachment.html>


More information about the OWASP-Leaders mailing list