[Owasp-ottawa] Fwd: [Owasp-leaders] OWASP Statement on the Security of the Internet

Sherif Koussa sherif.koussa at owasp.org
Tue Jan 28 20:40:42 UTC 2014

OWASP's statement on the Security of the Internet. Don't forget to register
for yearly planning event on February 3rd

Please read and comment here


---------- Forwarded message ----------
From: Sarah Baso <sarah.baso at owasp.org>
Date: Tue, Jan 28, 2014 at 3:12 PM
Subject: [Owasp-leaders] OWASP Statement on the Security of the Internet
To: "Feel free to browse the archives." <owasp-leaders at lists.owasp.org>
Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>

The OWASP (Open Web Application Security Project, www.owasp.org) community
cares deeply about how much people can trust commonly used Internet
services and the applications that provide and use these services. The
reports about large-scale intelligence activities targeting Internet
communication and applications and possible attempts to undermine
cryptographic algorithms leave us deeply concerned. We knew about the
interception of targeted individuals and other monitoring activities,
however, the scale of recently reported activities and the possibility of
active undermining of the security of deployed applications are alarming.

Of course, it is hard to know for sure from current reports which attack
techniques may be in use and which secret agreements may be in place. As
such, it is not so easy to comment on the specifics from an OWASP
perspective. OWASP has long-standing general principles that we can talk
about, and address some of the actions we are taking.

Our mission is to make application security visible so that people and
organizations can make informed decisions about application security risks.

   - We strongly believe trustworthy secure software and applications are
   an important cornerstone of human society and interactions of all people
   around the world.
   - We strongly believe that people, companies and governments must
   protect software security and must not intentionally weaken software
   security, security standards, or undermine the security of cryptographic
   - We strongly believe that people, companies and governments must not
   intentionally introduce defects or vulnerabilities (or secret back-doors)
   compromising the security, trust and integrity of software and

We think it is also important to point out that if vulnerabilities are
introduced by people, governments or corporations to enable monitoring,
this will not only have adverse effects on freedom and trust within human
society, but sooner or later these vulnerabilities and weaknesses will also
be found and exploited by malicious actors and criminals. Furthermore, the
general population and companies will then be left without protection
against these actors, undermining the very foundations of many software
applications that support our daily lives, and with potentially world-wide
catastrophic consequences.

The OWASP community wants to help build secure and deployable systems for
all Internet users. Addressing security and new vulnerabilities has been
the key strength of the OWASP community for more than a decade and
technology alone is not the only factor. Education, operational practices,
laws, and other similar factors also matter. We see the recent news and
developments as a challenge, inspiring us to stand by our principles and
work harder and do more to make the web and applications more secure. Eoin
Keary, OWASP board member, pointed out: "OWASP cannot stand by and let the
erosion of security occur; it is against our mission." We are confident
that the OWASP community can do its part and we believe that OWASP security
recommendations and tools, if used more widely, can help.

We should seize this opportunity to take a look at what we can do better
going forward; not only think about all this just in light of the recent
revelations. The security and privacy of the Internet in general is still a
major challenge, even ignoring recent intelligence activities. Lessons can
be drawn from the above that will be generally useful in many ways for
years to come. And Tobias Gondrom, OWASP board member, voiced the hope,
that "perhaps this year's discussions can be the inspiring spark to
motivate the world to become more security aware, address open issues and
move from "insecure by default" to "secure by default"."

Publicity and motivation are important, too. There is plenty to do for all
of us, from users enabling additional security features to security
experts, companies and governments ensuring that their users, products,
services and applications are secure. OWASP is an open community and we
invite everyone interested in working on this area to rise to this
challenge and contribute to the analysis and develop ideas in this area
together for our common future.

This statement has also been posted here:

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ottawa/attachments/20140128/8dd9a71f/attachment.html>

More information about the Owasp-ottawa mailing list