[Owasp-leaders] I want to boost this project (OWASP Security Labeling System Project)

Eoin Keary eoin.keary at owasp.org
Mon Aug 25 22:43:52 UTC 2014


Tie the Labels to the new ASVS standard. This is auditable given the ASVS defines what is required to be done to achieve a certain level.

Again policing the awarding of "badges" is still a problem.  - Without verification the "badge" does not hold or represent very much.

Owasp top 10 is a list of best guesses and not methodology or particularly scientific or backed by strong data but its a great awareness document and a good learning tool.



Eoin Keary
Owasp Global Board
+353 87 977 2988


On 25 Aug 2014, at 22:19, johanna curiel curiel <johanna.curiel at owasp.org> wrote:

> >But I would propose to start with something feasible and conscious. Let's create one simple first label which could withstand professional criticism.
> Agree, introducing 4 labels at once seems very ambitious with high chances to fail.
> 
> >In my understanding T10 obviously lacks the framework of enabling its use as QA standard. For that end one should first be able to measure the risks associated with that particular application (measure that in a standard manner), and then test an appropriate subset of T10 which corresponds with that risk profile (test with a standard set of tools running with defined profiles).
> That would be the standard test of the security quality of a software. It is still QA sci-fi today, isn't it? 
> 
> Agree. The risk profile is essential and that means that this project needs to provide some clear process and methodologie otherwise how can I assign a label?
> 
> An example: 
> An Owasp code library tool that is supposed to make apps safe and has security vulnerabilities can make the application using it vulnerable, it fails to deliver security and compromise the entire OS eventually
> An OWASP tool such as ZAP does not have this risk but installing a vulnerable app can make the OS suing it vulnerable (if it has security bugs)
> An OWASP tool such as OWASP Web Testing Environment  does not have that problem at all because is a VM...(full with vulnerable apps) so the user knows that he should never put this in his network (more a plug and play thing)
> 
> As you can see each app has its own risks and responsibilities with regards the user and people implementing them.
> 
> Maybe is time to take this discussion in the project mailing list?
> 
> 
> 
> 
> 
> 
> 
> regards
> 
> Johanna
> 
> 
> On Mon, Aug 25, 2014 at 5:22 PM, Timur 'x' Khrotko (owasp) <timur at owasp.org> wrote:
>> Johanna, Luis,
>> 
>> while I am aware of the need for the OWASP labels for software, that there is a "market/public" need for it, and as with the case of professional certification, my point is that it is better to do it in OWASP than let others do it not that well, but.
>> 
>> But I would propose to start with something feasible and conscious. Let's create one simple first label which could withstand professional criticism.
>> 
>> In my perspective T10 is not a methodology. And I doubt the professional grounds to declare that a given application is T10 compliant. 
>> As always here I refer to the post of our colleague (cc-d):
>> http://blog.silentsignal.eu/2014/03/31/owasp-top-10-is-overrated/
>> 
>> In my understanding T10 obviously lacks the framework of enabling its use as QA standard. For that end one should first be able to measure the risks associated with that particular application (measure that in a standard manner), and then test an appropriate subset of T10 which corresponds with that risk profile (test with a standard set of tools running with defined profiles).
>> That would be the standard test of the security quality of a software. It is still QA sci-fi today, isn't it?!
>> 
>> A different type of security assurance would be to certify that the development process complies with defined S-SDLC methodology (say MS SDL). This would be feasible even today.
>> 
>> My suggestion is not to engage in a fresh approach from abstract qualities O, P, I, etc. But take some working parts we have: T10, proactive controls, ASVS, xyz -- and extend those with certification rules of game.
>> 
>> I also believe that the main point of OWASP certification is not to make it visible for profane public, but to create standard security QA references for vendor contracts, to create mapping between the legally binding clauses and the technically testable qualities of the software (the delivery and the support phase as well).
>> 
>> Regards:
>> Timur
>> 
>> 
>> On Mon, Aug 25, 2014 at 7:45 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>> >A1: There is not 100% security, we know that. The labeling system has the only purpose of making security visible for Users. What the "Security label" does, is just verifying that the Application follows a security oriented methodology, such as the OWASP Top Ten.  
>>> 
>>> Ok I think I get it. The labeling system only implies that the web app/software "follows" OWASP guidelines.
>>> 
>>> (3) About reviews, they could be based on private vulnerability reports, points, or perhaps automated tools(if allowed by the Application).
>>> Ok I like the idea of labeling web apps/software that follow OWASP guidelines. I believe that the real challenge of the project will be this part. 
>>> 
>>> Reviewing applications to verify the follow a process is quite intensive, even when you have vulnerability/automated tools because you need a body/group of assessors. Right now I think I want to use this labeling system in our own OWASP projects ;-P(not vulnerable apps included off course)
>>> 
>>> So yes, lets join forces to see if we are using our own guidelines... and the ones that does... they get a nice label :)))
>>> 
>>> Just to give you an idea, I use all this automated tools (otherwise I alone and Kait would not make it) to review code/tool projects
>>> -TeamCity
>>> -Openhub
>>> -Ranorex
>>> -Coverty & SWAMP ==> For code analysis
>>> -IDE's to veruify tools(Eclipse, Visual Studio..etc)
>>> 
>>> I can see in the code structure if projects use certain principles but maybe , you can help me design a checklist to verify they are using our own guidelines such as:
>>> -TOP ten, ASVS, Cheat sheets etc
>>> 
>>> we can take this discussion into your mail list project
>>> 
>>> regards
>>> 
>>> Johanna
>>> 
>>> 
>>> 
>>> 
>>> On Sun, Aug 24, 2014 at 6:58 PM, Luis Enriquez <luis.enriquez at owasp.org> wrote:
>>>> Dear Johanna,
>>>> 
>>>> Thank you very much for replying and getting interested about this.  Considering this is still an experimental "idea",  I know there are some tricky issues to be solved.  I will try to comment over those "tricky" issues (just my perspective):
>>>> 
>>>> Q1. The project seems to imply assigning a label to "web applications and software(in general)." Does that mean that if a project has a label, are your implying that is "Secure"..."This label is for Software developed with a secure life cycle, following recommended security coding practices(OWASP TOP TEN, OWASP security principles...) and recommended security tools(Zed Attack Proxy, Dependency check...)" ?
>>>> 
>>>> A1: There is not 100% security, we know that. The labeling system has the only purpose of making security visible for Users. What the "Security label" does, is just verifying that the Application follows a security oriented methodology, such as the OWASP Top Ten.  
>>>> 
>>>> 
>>>> Q2. How is the process of assigning a label? How do you judge that a "web app or software" can actually receive one? That means you need to review these web apps in order to determine that they were developed using a secure life cycle for example.Who will be the reviewers of these webapps?
>>>> 
>>>> Any Web app or software could apply for it if: (1) Includes in their contract terms the clause of  security(in case of the security label). By this clause, the Application developer just makes the compromise to the Application users, that he is following the Security Testing methodology(such as Owasp top Ten).
>>>> (2) In the other hand, the OWASP project will have to verify that certain application is actually following the Testing methodology. Labels can also being suspended.
>>>> (3) About reviews, they could be based on private vulnerability reports, points, or perhaps automated tools(if allowed by the Application).
>>>> 
>>>> Q3. For some reason I assume  that OWASP (as a brand) provides some sort of  review to these "web apps and software". I honestly find this dangerous for OWASP reputation. Even when we can set all sort of disclaimer that we cannot "guarantee" that the labeling means the app is actually secure, if a breach happened with that app, OWASP will be associated with that security breach.
>>>> 
>>>> A3. OWASP as a brand just certifies that the Application is following a secure methodology. Just as an ISO standard does.  Getting an original brand can also be an option, but hopefully supported by OWASP(and perhaps other Internet communities). However, in IT security there are always risks, right?  
>>>> 
>>>> cheers,
>>>> 
>>>> Luis
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Sat, Aug 23, 2014 at 10:46 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>> Hi Luis,
>>>>> 
>>>>> While I like the concept, there are some things I do not understand and I would like to clarify.
>>>>> 
>>>>> -The project seems to imply assigning a label to "web applications and software(in general)." Does that mean that if a project has a label, are your implying that is "Secure"..."This label is for Software developed with a secure life cycle, following recommended security coding practices(OWASP TOP TEN, OWASP security principles...) and recommended security tools(Zed Attack Proxy, Dependency check...)" ?
>>>>> 
>>>>> -How is the process of assigning a label? How do you judge that a "web app or software" can actually receive one? That means you need to review these web apps in order to determine that they were developed using a secure life cycle for example.Who will be the reviewers of these webapps?
>>>>> 
>>>>> For some reason I assume  that OWASP (as a brand) provides some sort of review to these "web apps and software". I honestly find this dangerous for OWASP reputation. Even when we can set all sort of disclaimer that we cannot "guarantee" that the labeling means the app is actually secure, if a breach happened with that app, OWASP will be associated with that security breach.
>>>>> 
>>>>> Regards
>>>>> 
>>>>> Johanna
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Sat, Aug 23, 2014 at 4:10 PM, Luis Enriquez <luis.enriquez at owasp.org> wrote:
>>>>>> Dear Community,
>>>>>> 
>>>>>> I have been working on the worked on the OWASP Labeling system Project  for the last 5 months. It is a different kind of project as there are some legal issues involved such as security and privacy clauses. I need some feedback of the "old and well known" OWASP members in other to confirm if this is the right orientation.
>>>>>> 
>>>>>> As there is no OWASP Project manager at the moment, and the community is changing the board members, I just don't know who to contact. 
>>>>>> 
>>>>>> I still believe it is a good project, and OWASP the right community for developing such idea. 
>>>>>> 
>>>>>> https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
>>>>>> 
>>>>>> best,
>>>>>> 
>>>>>> -- 
>>>>>> Luis Enriquez
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Luis Enriquez
>>>> (LLM,MD,CEH,CHFI)
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140825/56d3a487/attachment-0001.html>


More information about the OWASP-Leaders mailing list