[Owasp-leaders] I want to boost this project (OWASP Security Labeling System Project)

Timur 'x' Khrotko (owasp) timur at owasp.org
Mon Aug 25 20:22:39 UTC 2014


Johanna, Luis,

while I am aware of the need for the OWASP labels for software, that there
is a "market/public" need for it, and as with the case of professional
certification, my point is that it is better to do it in OWASP than let
others do it not that well, but.

But I would propose to start with something feasible and conscious. Let's
create one simple first label which could withstand professional criticism.

In my perspective T10 is not a methodology. And I doubt the professional
grounds to declare that a given application is T10 compliant.
As always here I refer to the post of our colleague (cc-d):
http://blog.silentsignal.eu/2014/03/31/owasp-top-10-is-overrated/

In my understanding T10 obviously lacks the framework of enabling its use
as QA standard. For that end one should first be able to measure the risks
associated with that particular application (measure that in a standard
manner), and then test an appropriate subset of T10 which corresponds with
that risk profile (test with a standard set of tools running with defined
profiles).
That would be the standard test of the security quality of a software. It
is still QA sci-fi today, isn't it?!

A different type of security assurance would be to certify that the
development process complies with defined S-SDLC methodology (say MS SDL).
This would be feasible even today.

My suggestion is not to engage in a fresh approach from abstract qualities
O, P, I, etc. But take some working parts we have: T10, proactive controls,
ASVS, xyz -- and extend those with certification rules of game.

I also believe that the main point of OWASP certification is not to make it
visible for profane public, but to create standard security QA references
for vendor contracts, to create mapping between the legally binding clauses
and the technically testable qualities of the software (the delivery and
the support phase as well).

Regards:
Timur


On Mon, Aug 25, 2014 at 7:45 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >A1: There is not 100% security, we know that. The labeling system has
> the only purpose of making security visible for Users. What the "Security
> label" does, is just verifying that the Application follows a security
> oriented methodology, such as the OWASP Top Ten.
>
> Ok I think I get it. The labeling system only implies that the web
> app/software "follows" OWASP guidelines.
>
> (3) About reviews, they could be based on private vulnerability reports,
> points, or perhaps automated tools(if allowed by the Application).
> Ok I like the idea of labeling web apps/software that follow OWASP
> guidelines. I believe that the real challenge of the project will be this
> part.
>
> Reviewing applications to verify the follow a process is quite intensive,
> even when you have vulnerability/automated tools because you need a
> body/group of assessors. Right now I think I want to use this labeling
> system in our own OWASP projects ;-P(not vulnerable apps included off
> course)
>
> So yes, lets join forces to see if we are using our own guidelines... and
> the ones that does... they get a nice label :)))
>
> Just to give you an idea, I use all this automated tools (otherwise I
> alone and Kait would not make it) to review code/tool projects
> -TeamCity
> -Openhub
> -Ranorex
> -Coverty & SWAMP ==> For code analysis
> -IDE's to veruify tools(Eclipse, Visual Studio..etc)
>
> I can see in the code structure if projects use certain principles but
> maybe , you can help me design a checklist to verify they are using our own
> guidelines such as:
> -TOP ten, ASVS, Cheat sheets etc
>
> we can take this discussion into your mail list project
>
> regards
>
> Johanna
>
>
>
>
> On Sun, Aug 24, 2014 at 6:58 PM, Luis Enriquez <luis.enriquez at owasp.org>
> wrote:
>
>> Dear Johanna,
>>
>> Thank you very much for replying and getting interested about this.
>> Considering this is still an experimental "idea",  I know there are some
>> tricky issues to be solved.  I will try to comment over those "tricky"
>> issues (just my perspective):
>>
>> *Q1. The project seems to imply assigning a label to "web applications
>> and software(in general)." Does that mean that if a project has a label,
>> are your implying that is "Secure"..."This label is for Software developed
>> with a secure life cycle, following recommended security coding
>> practices(OWASP TOP TEN, OWASP security principles...) and recommended
>> security tools(Zed Attack Proxy, Dependency check...)" ?*
>>
>> A1: There is not 100% security, we know that. The labeling system has
>> the only purpose of making security visible for Users. What the
>> "Security label" does, is just verifying that the Application follows a
>> security oriented methodology, such as the OWASP Top Ten.
>>
>>
>>
>> *Q2. How is the process of assigning a label? How do you judge that a
>> "web app or software" can actually receive one? That means you need
>> to review these web apps in order to determine that they were developed
>> using a secure life cycle for example.Who will be the reviewers of these
>> webapps?*
>> Any Web app or software could apply for it if: (1) Includes in their
>> contract terms the clause of  security(in case of the security label). By
>> this clause, the Application developer just makes the compromise to the
>> Application users, that he is following the Security Testing
>> methodology(such as Owasp top Ten).
>> (2) In the other hand, the OWASP project will have to verify that certain
>> application is actually following the Testing methodology. Labels can also
>> being suspended.
>> (3) About reviews, they could be based on private vulnerability reports,
>> points, or perhaps automated tools(if allowed by the Application).
>>
>> *Q3. For some reason I assume  that OWASP (as a brand) provides some sort
>> of review to these "web apps and software". I honestly find this dangerous
>> for OWASP reputation. Even when we can set all sort of disclaimer that we
>> cannot "guarantee" that the labeling means the app is actually secure, if a
>> breach happened with that app,** OWASP will be associated with that
>> security breach.*
>>
>> A3. OWASP as a brand just certifies that the Application is following a
>> secure methodology. Just as an ISO standard does.  Getting an original
>> brand can also be an option, but hopefully supported by OWASP(and perhaps
>> other Internet communities). However, in IT security there are always
>> risks, right?
>>
>> cheers,
>>
>> Luis
>>
>>
>>
>>
>> On Sat, Aug 23, 2014 at 10:46 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Luis,
>>>
>>> While I like the concept, there are some things I do not understand and
>>> I would like to clarify.
>>>
>>> -The project seems to imply assigning a label to "web applications and
>>> software(in general)." Does that mean that if a project has a label, are
>>> your implying that is "Secure"..."This label is* for Software developed
>>> with a secure life cycle*,* following recommended security coding
>>> practices*(OWASP TOP TEN, OWASP security principles...) and recommended
>>> security tools(Zed Attack Proxy, Dependency check...)" ?
>>>
>>> -How is the process of assigning a label? How do you judge that a "web
>>> app or software" can actually receive one? That means you need
>>> to review these web apps in order to determine that they were developed
>>> using a secure life cycle for example.Who will be the reviewers of these
>>> webapps?
>>>
>>> For some reason I assume  that OWASP (as a brand) provides some sort of
>>> review to these "web apps and software". I honestly find this dangerous for
>>> OWASP reputation. Even when we can set all sort of disclaimer that we
>>> cannot "guarantee" that the labeling means the app is actually secure, if a
>>> breach happened with that app, OWASP will be associated with that security
>>> breach.
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>> On Sat, Aug 23, 2014 at 4:10 PM, Luis Enriquez <luis.enriquez at owasp.org>
>>> wrote:
>>>
>>>> Dear Community,
>>>>
>>>> I have been working on the worked on the OWASP Labeling system Project
>>>> for the last 5 months. It is a different kind of project as there are some
>>>> legal issues involved such as security and privacy clauses. I need some
>>>> feedback of the "old and well known" OWASP members in other to confirm if
>>>> this is the right orientation.
>>>>
>>>> As there is no OWASP Project manager at the moment, and the community
>>>> is changing the board members, I just don't know who to contact.
>>>>
>>>> I still believe it is a good project, and OWASP the right community for
>>>> developing such idea.
>>>>
>>>> https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
>>>>
>>>> best,
>>>>
>>>> --
>>>> Luis Enriquez
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>>
>> --
>> Luis Enriquez
>> (LLM,MD,CEH,CHFI)
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140825/c015f370/attachment-0001.html>


More information about the OWASP-Leaders mailing list