[Owasp-leaders] OWASP released Statement on the Security of the Internet - share the news with your chapters and in your countries

Tobias tobias.gondrom at owasp.org
Wed Jan 29 12:10:49 UTC 2014

Hi dear fellow chapter and project leaders,

as you might already know, we finally released it. After receiving your
feedback over the last few weeks with more than 90% in favour of that
OWASP should make a statement and the last reviews here on the list, it
finally has been released to the media. Please feel free to share with
your chapters, peers, on twitter, linkedin, etc. and with the media in
your countries.


  OWASP Statement on the Security of the Internet

The OWASP (Open Web Application Security Project, www.owasp.org)
community cares deeply about how much people can trust commonly used
Internet services and the applications that provide and use these
services. The reports about large-scale intelligence activities
targeting Internet communication and applications and possible attempts
to undermine cryptographic algorithms leave us deeply concerned. We knew
about the interception of targeted individuals and other monitoring
activities, however, the scale of recently reported activities and the
possibility of active undermining of the security of deployed
applications are alarming.

Of course, it is hard to know for sure from current reports which attack
techniques may be in use and which secret agreements may be in place. As
such, it is not so easy to comment on the specifics from an OWASP
perspective. OWASP has long-standing general principles that we can talk
about, and address some of the actions we are taking.

Our mission is to make application security visible so that people and
organizations can make informed decisions about application security risks.

  * We strongly believe trustworthy secure software and applications are
    an important cornerstone of human society and interactions of all
    people around the world.

  * We strongly believe that people, companies and governments must
    protect software security and must not intentionally weaken software
    security, security standards, or undermine the security of
    cryptographic algorithms.

  * We strongly believe that people, companies and governments must not
    intentionally introduce defects or vulnerabilities (or secret
    back-doors) compromising the security, trust and integrity of
    software and applications.

We think it is also important to point out that if vulnerabilities are
introduced by people, governments or corporations to enable monitoring,
this will not only have adverse effects on freedom and trust within
human society, but sooner or later these vulnerabilities and weaknesses
will also be found and exploited by malicious actors and criminals.
Furthermore, the general population and companies will then be left
without protection against these actors, undermining the very
foundations of many software applications that support our daily lives,
and with potentially world-wide catastrophic consequences.

The OWASP community wants to help build secure and deployable systems
for all Internet users. Addressing security and new vulnerabilities has
been the key strength of the OWASP community for more than a decade and
technology alone is not the only factor. Education, operational
practices, laws, and other similar factors also matter. We see the
recent news and developments as a challenge, inspiring us to stand by
our principles and work harder and do more to make the web and
applications more secure. Eoin Keary, OWASP board member, pointed out:
"OWASP cannot stand by and let the erosion of security occur; it is
against our mission." We are confident that the OWASP community can do
its part and we believe that OWASP security recommendations and tools,
if used more widely, can help.

We should seize this opportunity to take a look at what we can do better
going forward; not only think about all this just in light of the recent
revelations. The security and privacy of the Internet in general is
still a major challenge, even ignoring recent intelligence activities.
Lessons can be drawn from the above that will be generally useful in
many ways for years to come. And Tobias Gondrom, OWASP board member,
voiced the hope, that "perhaps this year's discussions can be the
inspiring spark to motivate the world to become more security aware,
address open issues and move from "insecure by default" to "secure by

Publicity and motivation are important, too. There is plenty to do for
all of us, from users enabling additional security features to security
experts, companies and governments ensuring that their users, products,
services and applications are secure. OWASP is an open community and we
invite everyone interested in working on this area to rise to this
challenge and contribute to the analysis and develop ideas in this area
together for our common future.

All the best and thanks a lot for your initiative and all the great
work, Tobias

Tobias Gondrom
OWASP Global Board Member
email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
mobile: +852 56002975
mobile: +44 7521003005
skype: tgondrom
twitter: @tgondrom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140129/9ec784fb/attachment.html>

More information about the OWASP-Leaders mailing list