[Owasp-leaders] I want to boost this project (OWASP Security Labeling System Project)

Luis Enriquez luis.enriquez at owasp.org
Tue Aug 26 22:03:57 UTC 2014


 By now, the 4 labels are just an experimental idea, and they could by
implemented 1 by 1(or even more). However, in order to simplify the model,
i will resume it in 2 phases:

1) Legal part (between developer and user).   Creating legally binding
clauses (as Timur mentioned) in contracts.  The Vendor's must including the
Label's clause inside the contracts (EULA, terms and conditions).
Developer's get the compromise that their application is following a
recommended OWASP  methodogy(eg. ASVS )

2) Technical part ( between developer and the OWASP project).  OWASP
provides the methodologies. The OWASP labeling system project verifies that
the application developer is following those methologies. If so, the label
proceeds.


About the graphic labels, I think the visual part contributes to make
security visible. Most humans don't understand PHP, Java, or even Html. But
all humans could  READ THE LABEL.

I agree we could move this to the mailing list, please join it.

best,

Luis


>In my understanding T10 obviously lacks the framework of enabling its use
as QA standard. For that end one should first be able to measure the risks
associated with that particular application (measure that in a standard
manner), and then test an appropriate subset of T10 which corresponds with
that risk profile (test with a standard set of tools running with defined
profiles).
That would be the standard test of the security quality of a software. It
is still QA sci-fi today, isn't it?

Agree. The risk profile is essential and that means that this project needs
to provide some clear process and methodologie otherwise how can I assign a
label?

An example:
An Owasp code library tool that is supposed to make apps safe and has
security vulnerabilities can make the application using it vulnerable, it
fails to deliver security and compromise the entire OS eventually
An OWASP tool such as ZAP does not have this risk but installing a
vulnerable app can make the OS suing it vulnerable (if it has security bugs)
An OWASP tool such as OWASP Web Testing Environment  does not have that
problem at all because is a VM...(full with vulnerable apps) so the user
knows that he should never put this in his network (more a plug and play
thing)

As you can see each app has its own risks and responsibilities with regards
the user and people implementing them.

Maybe is time to take this discussion in the project mailing list?


Thank you very much for your participation,




On Tue, Aug 26, 2014 at 12:43 AM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Tie the Labels to the new ASVS standard. This is auditable given the ASVS
> defines what is required to be done to achieve a certain level.
>
> Again policing the awarding of "badges" is still a problem.  - Without
> verification the "badge" does not hold or represent very much.
>
> Owasp top 10 is a list of best guesses and not methodology or particularly
> scientific or backed by strong data but its a great awareness document and
> a good learning tool.
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 25 Aug 2014, at 22:19, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>
> >But I would propose to start with something feasible and conscious. Let's
> create one simple first label which could withstand professional criticism.
> Agree, introducing 4 labels at once seems very ambitious with high chances
> to fail.
>
> >In my understanding T10 obviously lacks the framework of enabling its use
> as QA standard. For that end one should first be able to measure the risks
> associated with that particular application (measure that in a standard
> manner), and then test an appropriate subset of T10 which corresponds with
> that risk profile (test with a standard set of tools running with defined
> profiles).
> That would be the standard test of the security quality of a software. It
> is still QA sci-fi today, isn't it?
>
> Agree. The risk profile is essential and that means that this project
> needs to provide some clear process and methodologie otherwise how can I
> assign a label?
>
> An example:
> An Owasp code library tool that is supposed to make apps safe and has
> security vulnerabilities can make the application using it vulnerable, it
> fails to deliver security and compromise the entire OS eventually
> An OWASP tool such as ZAP does not have this risk but installing a
> vulnerable app can make the OS suing it vulnerable (if it has security bugs)
> An OWASP tool such as OWASP Web Testing Environment  does not have that
> problem at all because is a VM...(full with vulnerable apps) so the user
> knows that he should never put this in his network (more a plug and play
> thing)
>
> As you can see each app has its own risks and responsibilities with
> regards the user and people implementing them.
>
> Maybe is time to take this discussion in the project mailing list?
>
>
>
>
>
>
>
> regards
>
> Johanna
>
>
> On Mon, Aug 25, 2014 at 5:22 PM, Timur 'x' Khrotko (owasp) <
> timur at owasp.org> wrote:
>
>> Johanna, Luis,
>>
>> while I am aware of the need for the OWASP labels for software, that
>> there is a "market/public" need for it, and as with the case of
>> professional certification, my point is that it is better to do it in OWASP
>> than let others do it not that well, but.
>>
>> But I would propose to start with something feasible and conscious. Let's
>> create one simple first label which could withstand professional criticism.
>>
>> In my perspective T10 is not a methodology. And I doubt the professional
>> grounds to declare that a given application is T10 compliant.
>> As always here I refer to the post of our colleague (cc-d):
>> http://blog.silentsignal.eu/2014/03/31/owasp-top-10-is-overrated/
>>
>> In my understanding T10 obviously lacks the framework of enabling its use
>> as QA standard. For that end one should first be able to measure the risks
>> associated with that particular application (measure that in a standard
>> manner), and then test an appropriate subset of T10 which corresponds with
>> that risk profile (test with a standard set of tools running with defined
>> profiles).
>> That would be the standard test of the security quality of a software. It
>> is still QA sci-fi today, isn't it?!
>>
>> A different type of security assurance would be to certify that the
>> development process complies with defined S-SDLC methodology (say MS SDL).
>> This would be feasible even today.
>>
>> My suggestion is not to engage in a fresh approach from abstract
>> qualities O, P, I, etc. But take some working parts we have: T10, proactive
>> controls, ASVS, xyz -- and extend those with certification rules of game.
>>
>> I also believe that the main point of OWASP certification is not to make
>> it visible for profane public, but to create standard security QA
>> references for vendor contracts, to create mapping between the legally
>> binding clauses and the technically testable qualities of the software (the
>> delivery and the support phase as well).
>>
>> Regards:
>> Timur
>>
>>
>> On Mon, Aug 25, 2014 at 7:45 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >A1: There is not 100% security, we know that. The labeling system has
>>> the only purpose of making security visible for Users. What the
>>> "Security label" does, is just verifying that the Application follows a
>>> security oriented methodology, such as the OWASP Top Ten.
>>>
>>> Ok I think I get it. The labeling system only implies that the web
>>> app/software "follows" OWASP guidelines.
>>>
>>> (3) About reviews, they could be based on private vulnerability reports,
>>> points, or perhaps automated tools(if allowed by the Application).
>>> Ok I like the idea of labeling web apps/software that follow OWASP
>>> guidelines. I believe that the real challenge of the project will be this
>>> part.
>>>
>>> Reviewing applications to verify the follow a process is quite
>>> intensive, even when you have vulnerability/automated tools because you
>>> need a body/group of assessors. Right now I think I want to use this
>>> labeling system in our own OWASP projects ;-P(not vulnerable apps included
>>> off course)
>>>
>>> So yes, lets join forces to see if we are using our own guidelines...
>>> and the ones that does... they get a nice label :)))
>>>
>>> Just to give you an idea, I use all this automated tools (otherwise I
>>> alone and Kait would not make it) to review code/tool projects
>>> -TeamCity
>>> -Openhub
>>> -Ranorex
>>> -Coverty & SWAMP ==> For code analysis
>>> -IDE's to veruify tools(Eclipse, Visual Studio..etc)
>>>
>>> I can see in the code structure if projects use certain principles but
>>> maybe , you can help me design a checklist to verify they are using our own
>>> guidelines such as:
>>> -TOP ten, ASVS, Cheat sheets etc
>>>
>>> we can take this discussion into your mail list project
>>>
>>> regards
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>> On Sun, Aug 24, 2014 at 6:58 PM, Luis Enriquez <luis.enriquez at owasp.org>
>>> wrote:
>>>
>>>> Dear Johanna,
>>>>
>>>> Thank you very much for replying and getting interested about this.
>>>> Considering this is still an experimental "idea",  I know there are some
>>>> tricky issues to be solved.  I will try to comment over those "tricky"
>>>> issues (just my perspective):
>>>>
>>>> *Q1. The project seems to imply assigning a label to "web applications
>>>> and software(in general)." Does that mean that if a project has a label,
>>>> are your implying that is "Secure"..."This label is for Software developed
>>>> with a secure life cycle, following recommended security coding
>>>> practices(OWASP TOP TEN, OWASP security principles...) and recommended
>>>> security tools(Zed Attack Proxy, Dependency check...)" ?*
>>>>
>>>> A1: There is not 100% security, we know that. The labeling system has
>>>> the only purpose of making security visible for Users. What the
>>>> "Security label" does, is just verifying that the Application follows a
>>>> security oriented methodology, such as the OWASP Top Ten.
>>>>
>>>>
>>>>
>>>> *Q2. How is the process of assigning a label? How do you judge that a
>>>> "web app or software" can actually receive one? That means you need
>>>> to review these web apps in order to determine that they were developed
>>>> using a secure life cycle for example.Who will be the reviewers of these
>>>> webapps?*
>>>> Any Web app or software could apply for it if: (1) Includes in their
>>>> contract terms the clause of  security(in case of the security label). By
>>>> this clause, the Application developer just makes the compromise to the
>>>> Application users, that he is following the Security Testing
>>>> methodology(such as Owasp top Ten).
>>>> (2) In the other hand, the OWASP project will have to verify that
>>>> certain application is actually following the Testing methodology. Labels
>>>> can also being suspended.
>>>> (3) About reviews, they could be based on private vulnerability
>>>> reports, points, or perhaps automated tools(if allowed by the Application).
>>>>
>>>> *Q3. For some reason I assume  that OWASP (as a brand) provides some
>>>> sort of review to these "web apps and software". I honestly find
>>>> this dangerous for OWASP reputation. Even when we can set all sort
>>>> of disclaimer that we cannot "guarantee" that the labeling means the app is
>>>> actually secure, if a breach happened with that app,** OWASP will be
>>>> associated with that security breach.*
>>>>
>>>> A3. OWASP as a brand just certifies that the Application is following a
>>>> secure methodology. Just as an ISO standard does.  Getting an original
>>>> brand can also be an option, but hopefully supported by OWASP(and perhaps
>>>> other Internet communities). However, in IT security there are always
>>>> risks, right?
>>>>
>>>> cheers,
>>>>
>>>> Luis
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Aug 23, 2014 at 10:46 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Luis,
>>>>>
>>>>> While I like the concept, there are some things I do not understand
>>>>> and I would like to clarify.
>>>>>
>>>>> -The project seems to imply assigning a label to "web applications
>>>>> and software(in general)." Does that mean that if a project has a label,
>>>>> are your implying that is "Secure"..."This label is* for Software
>>>>> developed with a secure life cycle*,* following recommended security
>>>>> coding practices*(OWASP TOP TEN, OWASP security principles...) and
>>>>> recommended security tools(Zed Attack Proxy, Dependency check...)" ?
>>>>>
>>>>> -How is the process of assigning a label? How do you judge that a "web
>>>>> app or software" can actually receive one? That means you need
>>>>> to review these web apps in order to determine that they were developed
>>>>> using a secure life cycle for example.Who will be the reviewers of these
>>>>> webapps?
>>>>>
>>>>> For some reason I assume  that OWASP (as a brand) provides some sort
>>>>> of review to these "web apps and software". I honestly find this dangerous
>>>>> for OWASP reputation. Even when we can set all sort of disclaimer that we
>>>>> cannot "guarantee" that the labeling means the app is actually secure, if a
>>>>> breach happened with that app, OWASP will be associated with that security
>>>>> breach.
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Aug 23, 2014 at 4:10 PM, Luis Enriquez <
>>>>> luis.enriquez at owasp.org> wrote:
>>>>>
>>>>>> Dear Community,
>>>>>>
>>>>>> I have been working on the worked on the OWASP Labeling system
>>>>>> Project  for the last 5 months. It is a different kind of project as there
>>>>>> are some legal issues involved such as security and privacy clauses. I need
>>>>>> some feedback of the "old and well known" OWASP members in other to confirm
>>>>>> if this is the right orientation.
>>>>>>
>>>>>> As there is no OWASP Project manager at the moment, and the community
>>>>>> is changing the board members, I just don't know who to contact.
>>>>>>
>>>>>> I still believe it is a good project, and OWASP the right community
>>>>>> for developing such idea.
>>>>>>
>>>>>> https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
>>>>>>
>>>>>> best,
>>>>>>
>>>>>> --
>>>>>> Luis Enriquez
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Luis Enriquez
>>>> (LLM,MD,CEH,CHFI)
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it
>> accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Luis Enriquez
(LLM,MD,CEH,CHFI)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140827/be575499/attachment-0001.html>


More information about the OWASP-Leaders mailing list