[Owasp-leaders] I want to boost this project (OWASP Security Labeling System Project)

johanna curiel curiel johanna.curiel at owasp.org
Mon Aug 25 17:45:15 UTC 2014


>A1: There is not 100% security, we know that. The labeling system has the
only purpose of making security visible for Users. What the "Security
label" does, is just verifying that the Application follows a security
oriented methodology, such as the OWASP Top Ten.

Ok I think I get it. The labeling system only implies that the web
app/software "follows" OWASP guidelines.

(3) About reviews, they could be based on private vulnerability reports,
points, or perhaps automated tools(if allowed by the Application).
Ok I like the idea of labeling web apps/software that follow OWASP
guidelines. I believe that the real challenge of the project will be this
part.

Reviewing applications to verify the follow a process is quite intensive,
even when you have vulnerability/automated tools because you need a
body/group of assessors. Right now I think I want to use this labeling
system in our own OWASP projects ;-P(not vulnerable apps included off
course)

So yes, lets join forces to see if we are using our own guidelines... and
the ones that does... they get a nice label :)))

Just to give you an idea, I use all this automated tools (otherwise I alone
and Kait would not make it) to review code/tool projects
-TeamCity
-Openhub
-Ranorex
-Coverty & SWAMP ==> For code analysis
-IDE's to veruify tools(Eclipse, Visual Studio..etc)

I can see in the code structure if projects use certain principles but
maybe , you can help me design a checklist to verify they are using our own
guidelines such as:
-TOP ten, ASVS, Cheat sheets etc

we can take this discussion into your mail list project

regards

Johanna




On Sun, Aug 24, 2014 at 6:58 PM, Luis Enriquez <luis.enriquez at owasp.org>
wrote:

> Dear Johanna,
>
> Thank you very much for replying and getting interested about this.
> Considering this is still an experimental "idea",  I know there are some
> tricky issues to be solved.  I will try to comment over those "tricky"
> issues (just my perspective):
>
> *Q1. The project seems to imply assigning a label to "web applications and
> software(in general)." Does that mean that if a project has a label, are
> your implying that is "Secure"..."This label is for Software developed with
> a secure life cycle, following recommended security coding practices(OWASP
> TOP TEN, OWASP security principles...) and recommended security tools(Zed
> Attack Proxy, Dependency check...)" ?*
>
> A1: There is not 100% security, we know that. The labeling system has the
> only purpose of making security visible for Users. What the "Security
> label" does, is just verifying that the Application follows a security
> oriented methodology, such as the OWASP Top Ten.
>
>
>
> *Q2. How is the process of assigning a label? How do you judge that a "web
> app or software" can actually receive one? That means you need
> to review these web apps in order to determine that they were developed
> using a secure life cycle for example.Who will be the reviewers of these
> webapps?*
> Any Web app or software could apply for it if: (1) Includes in their
> contract terms the clause of  security(in case of the security label). By
> this clause, the Application developer just makes the compromise to the
> Application users, that he is following the Security Testing
> methodology(such as Owasp top Ten).
> (2) In the other hand, the OWASP project will have to verify that certain
> application is actually following the Testing methodology. Labels can also
> being suspended.
> (3) About reviews, they could be based on private vulnerability reports,
> points, or perhaps automated tools(if allowed by the Application).
>
> *Q3. For some reason I assume  that OWASP (as a brand) provides some sort
> of review to these "web apps and software". I honestly find this dangerous
> for OWASP reputation. Even when we can set all sort of disclaimer that we
> cannot "guarantee" that the labeling means the app is actually secure, if a
> breach happened with that app,** OWASP will be associated with that
> security breach.*
>
> A3. OWASP as a brand just certifies that the Application is following a
> secure methodology. Just as an ISO standard does.  Getting an original
> brand can also be an option, but hopefully supported by OWASP(and perhaps
> other Internet communities). However, in IT security there are always
> risks, right?
>
> cheers,
>
> Luis
>
>
>
>
> On Sat, Aug 23, 2014 at 10:46 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Luis,
>>
>> While I like the concept, there are some things I do not understand and I
>> would like to clarify.
>>
>> -The project seems to imply assigning a label to "web applications and
>> software(in general)." Does that mean that if a project has a label, are
>> your implying that is "Secure"..."This label is* for Software developed
>> with a secure life cycle*,* following recommended security coding
>> practices*(OWASP TOP TEN, OWASP security principles...) and recommended
>> security tools(Zed Attack Proxy, Dependency check...)" ?
>>
>> -How is the process of assigning a label? How do you judge that a "web
>> app or software" can actually receive one? That means you need
>> to review these web apps in order to determine that they were developed
>> using a secure life cycle for example.Who will be the reviewers of these
>> webapps?
>>
>> For some reason I assume  that OWASP (as a brand) provides some sort of
>> review to these "web apps and software". I honestly find this dangerous for
>> OWASP reputation. Even when we can set all sort of disclaimer that we
>> cannot "guarantee" that the labeling means the app is actually secure, if a
>> breach happened with that app, OWASP will be associated with that security
>> breach.
>>
>> Regards
>>
>> Johanna
>>
>>
>>
>>
>> On Sat, Aug 23, 2014 at 4:10 PM, Luis Enriquez <luis.enriquez at owasp.org>
>> wrote:
>>
>>> Dear Community,
>>>
>>> I have been working on the worked on the OWASP Labeling system Project
>>> for the last 5 months. It is a different kind of project as there are some
>>> legal issues involved such as security and privacy clauses. I need some
>>> feedback of the "old and well known" OWASP members in other to confirm if
>>> this is the right orientation.
>>>
>>> As there is no OWASP Project manager at the moment, and the community is
>>> changing the board members, I just don't know who to contact.
>>>
>>> I still believe it is a good project, and OWASP the right community for
>>> developing such idea.
>>>
>>> https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
>>>
>>> best,
>>>
>>> --
>>> Luis Enriquez
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> --
> Luis Enriquez
> (LLM,MD,CEH,CHFI)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140825/fa82edc3/attachment-0001.html>


More information about the OWASP-Leaders mailing list