[Owasp-webcert] OWASP Evaluation and Certification Criteria
mark at curphey.com
Thu Aug 9 05:41:01 EDT 2007
Thanks for the feedback. Brilliant and very well received. See inline.
From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Brian Chess
Sent: Wednesday, August 08, 2007 10:17 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria
I like the direction you're headed, and I hope to make use of the final
result. At the same time, I'm not sure I completely understand all of what
you're driving at, so perhaps some of the following criticism stems from my
lack of understanding. If that's the case, then maybe I'm just pointing out
places where the document is open to misinterpretation.
- Would E-bay be adequately secure if it complied with the extended
criteria? Since the criteria don't say anything about what's required to
run a fair and legal auction, I have to think E-Bay needs to do more than
you specify. For that reason, it seems like you're defining a minimum set
of requirements. Auditors and security-conscious organizations might like
to extend that set with their own more specific requirements, in which case
there will be a lot of value in the format you define in addition to the
security requirements you establish.
Curphey > I certainly see your point but isn't there a separation between
the security of the application and the functionality of the business
- At the same time, it is feasible that an application need not meet all of
the specified criteria in order to be adequately secure. (Do I need SSL if
the application can only be accessed through a VPN?) For this reason, I can
imagine that people would want to say "I'm compliant with the OWASP basic
requirements minus the following set (x, y, z)." This is where specs like
PCI get kind of fuzzy, but without some way to specify a set of security
requirements, people are likely to throw up their hands and say "that OWASP
thing just doesn't apply to me." I could imagine defining something along
the lines of a CC protection profile and then trying to popularize a small
number of profiles. Essentially you've already started to do that by
defining "basic" and "extended".
Curphey > I think this is a key point and well worth the debate. I think its
fundamental to why compliance is often just a check box and not a valuable
exercise. The requirements aren't flexible or specific, two things which
clearly are bi-polar. The concept being proposed (and remember I am trying
to put forward a proposal on which we can all sit around a table at the next
OWASP Conference and plot a roadmap for) is for an exceptions process. In
this case if the app was only available via VPN the auditor could apply for
an exception. This way we deal with edge cases with flexibility but don't
lower the general requirements to the lowest common denominator. I am
totally open to other ways of doing it but want to avoid the lowest common
denominator approach if at all possible.
- From the sound of it, OWASP is going to be a certifying body for auditors.
It will also manage the exception process and process applications for Gold
Certificate status. That sounds like a lot of work and a lot of
coordination. I think OWASP has done some great stuff, but it hasn't done
anything even close to this before. Further, these kinds of activities are
typically not the kinds of things that loosely coupled volunteer-driven
organizations excel at.
Curphey> No this is just a proposal for how it should / could be done ie
what that process would look like to support the structure and concept of
the criteria. There is no talk at this point of OWASP taking that on board
although of course it could.
- I think I'd benefit a lot from more examples in the document. I can see
that it's part of your plan to add some, so I suppose I'm just voting for
doing those sooner rather than later.
Curphey> I am on this. The next draft will probably be next week.
Looking over my notes, my over-all suggestion is that you reduce the scope
of this initial effort. Establishing the long term vision is important, but
revealing the path that will get us started is perhaps equally important.
From: Mark Curphey <mark at curphey.com>
Reply-To: <owasp-webcert at lists.owasp.org>
Date: Sun, 5 Aug 2007 09:11:25 -0700
To: <owasp-webcert at lists.owasp.org>
Conversation: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Subject: [Owasp-webcert] OWASP Evaluation and Certification Criteria
For those that want to see some progress attached is the latest draft.
1. Remember the idea is to build a template from which we can derive
individual Evaluation and Certification Criteria or indeed a complete
scheme. What you see is the template from which we will "configure" a
reference implementation. This approach is scalable and I have heard from a
few of you off-line that you really like this and a few banks plan to adopt
it which is great news! This will allow Big Co X or Big Co Y to choose their
password quality or link to their own secure code standards without being
constrained by a generic lowest common denominator approach but agreeing on
the big ticket items. The idea is not to cover every possible thing.
2. Authorization - I need some help with this. What do we need to define
I plan to complete the Process and People parts tomorrow and then configure
the reference implementation. This will be the one with tangible values and
not the cut and paste <insert here>.
Please don't waste time on detailed feedback (especially for grammar) BUT I
would like commentary and feedback on the topics included in Technology and
Process. Are there any missing?
Note: This has highlighted that there is a need for a great deal of
supporting material such as secure coding standards and detailed How To Test
for specific issues. This is both an issue and an opportunity for OWASP to
pull together various projects in a cohesive way.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-webcert