[OWASP-TESTING] Web application security consortium?

Mark Curphey mark.curphey at foundstone.com
Wed Mar 17 18:06:00 EST 2004

It is essentially the scanning vendors as far as we can tell and hear. For context you have to understand the politics and history so let me explain a little bit of it without getting in to the nitty gritty personal stuff. What OWASP does and why it is so well respected among the banks and companies that use our work, is to cut through the BS and tell the truth about web security issues. IMHO is generally not in the best interest of the scanning vendors or pure pen test companies as they are marketing their technology or services as a silver bullet. We know that a few of them have lost significant software sales deals when the client testing their tools against OWASP WebGoat. I was told one deal was a million dollars.

Take this project as an example of our work. Many of us make money from pen testing (me included) and it is easy to write a bias doc that promotes what we do rather than what we know people should be doing. OWASP is able to take the high ground. This is a truly unique thing that gets the respect of people.

Jeremiah (who runs webappsec) was involved with OWASP in the early days but we parted company very early on with a difference in direction and motivation. He has tried to create other OWASP type projects in the past at community.whitehatsec.com which is no longer in action. The individual who owns that domain once registered owasp.com and held us to ransom ! They also tried to have me removed from moderating webappsec but thats one for a beer in NYC !

I have spoken to a few of the people on the Web Security Consortium (including a few "Charter members") who said they have no real idea of what it is apart from a group that they were asked to join and they saw no downside. I can tell you that their intention to create secure coding standards caused quite a stir and there is a queue of heavyweights (real heavyweights) waiting for them to publish anything that is remotely biased towards blackbox testing or scanning tools. Its not that they are *totally* useless but that they are a smaller part of a big picture.

There intent to publish a classification scheme also conflicts with what we are doing at OASIS WAS (although a scanning vendor classification scheme will obviously be crushed by a true standards body scheme that they all intend to support anyways). Not sure the real idea there.

I am sure many of you will be approached or asked to work on this project in due course. My personal stance is that feelings are that OWASP needs to keep focused people with the right philosophy on the project and while OWASP is open to all, it MAY not be appropriate to have people who are also working on projects that are not complimentary and in cases down right negative to or about our work. Life is too short to deal with the stuff we had to in the past (we kept it off the lists) I want to keep on staying focused and the thing I love about OWASP today is that we don’t have to question anyone's motivation or judgment and can truly enjoy the people we work with. We will make sure we keep that mantra. I used to get enough politics and back stabbing in my work life (don’t know thanks to Foundstone) and don’t need it in my down time (OWASP).

I know we don’t need to justify the respect thing but just take a look at the Federal Trade Commisions recomendationand the email from Visa that I will forward on next.

FYI we are forming a steering committee and the official OWASP Foundation this summer along with very positive changes to get better organized and grow even more. There is commitment so far from 6 major financial services companies in the US to be apart of that steering committee. Big names. Big names ! That is real credibility ! The pen test check list we have been bashing about will be used by those banks to aquire services and judge their own testing. This is something no vendor driven group could ever achieve. I would like to see Visa (and I think they will) also adopt the OWASP Checklist as a form of vendor certification. With the OWASP conference in NYC (and now one also likely to happen on London in Novemeber), Testing 1, Guide 2 and ISO17799 due before summer, I think this will be a great year for OWASP. The steering committees and official support of these organizations will drive our credibility still further.

So in short, I think orgs like the Web Security Consortium have a place to play in the overall indusrty but they probably are all the more reason why OWASP is more important today than when we started it. 

As agent Scully said, the truth is out there !

Snip from mail today

I work with the Visa Cardholder Information Security Program which requires

program adherence for merchants and service providers that process, store,

or transmit Visa cardholder data. Details of our program are available at

www.visa.com/cisp, and of specific interest may be our Security Audit

Procedures and Reporting document under the Service Provider tab (tab is

about 1/3 of the way down the page). This is the detailed audit procedures

we require our assessors to use to validate CISP compliance. 

We work with many compromised entities, and as you may guess, find that many

of these entities have flawed web application software. I am updating the

audit procedures mentioned above with details about web application security

and want to rely, quote, and excerpt from your "The Ten Most Critical Web

Application Security Vulnerabilities" document and related OWASP documents. 

I think this is ok based on your copyright permission statement on the

bottom of the cover page, but wanted to confirm that and find out how you

prefer I include the attribution to OWASP. Please let me know if this is

ok, if there are any guidelines, and how best to do this. Thanks. 

Lauren Holloway, CISSP, CISA, CISM

Cardholder Information Security Program

Visa U.S.A.

901 Metro Center, M3-4A

Foster City, CA 94404


	-----Original Message----- 
	From: daniel at deeper.co.za [mailto:daniel at deeper.co.za] 
	Sent: Wed 3/17/2004 7:22 AM 
	To: owasp-testing at lists.sourceforge.net 
	Subject: [OWASP-TESTING] Web application security consortium?

	does anyone know what http://www.webappsec.org/ will be doing?
	it seems to me like its more a commercial version of
	This SF.Net email is sponsored by: IBM Linux Tutorials
	Free Linux tutorial presented by Daniel Robbins, President and CEO of
	GenToo technologies. Learn everything from fundamentals to system
	owasp-testing mailing list
	owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list