[Owasp-webcert] OWASP Evaluation and Certification Criteria
jeff.williams at owasp.org
Thu Aug 9 02:03:02 EDT 2007
When the criteria and evaluation scheme get to the point where we need to
certify auditors, the OWASP Foundation can hire people to do that. We don't
need to make a lot of money from the service, so the costs to the auditing
organizations just need to cover our expenses. FYI, at Arca, Dave and I
helped to create the first TTAP Lab (which became a CC Lab after we helped
get the CC established).
From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Brian Chess
Sent: Wednesday, August 08, 2007 4:17 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria
I like the direction you're headed, and I hope to make use of the final
result. At the same time, I'm not sure I completely understand all of what
you're driving at, so perhaps some of the following criticism stems from my
lack of understanding. If that's the case, then maybe I'm just pointing out
places where the document is open to misinterpretation.
- Would E-bay be adequately secure if it complied with the extended
criteria? Since the criteria don't say anything about what's required to
run a fair and legal auction, I have to think E-Bay needs to do more than
you specify. For that reason, it seems like you're defining a minimum set
of requirements. Auditors and security-conscious organizations might like
to extend that set with their own more specific requirements, in which case
there will be a lot of value in the format you define in addition to the
security requirements you establish.
- At the same time, it is feasible that an application need not meet all of
the specified criteria in order to be adequately secure. (Do I need SSL if
the application can only be accessed through a VPN?) For this reason, I can
imagine that people would want to say "I'm compliant with the OWASP basic
requirements minus the following set (x, y, z)." This is where specs like
PCI get kind of fuzzy, but without some way to specify a set of security
requirements, people are likely to throw up their hands and say "that OWASP
thing just doesn't apply to me." I could imagine defining something along
the lines of a CC protection profile and then trying to popularize a small
number of profiles. Essentially you've already started to do that by
defining "basic" and "extended".
- From the sound of it, OWASP is going to be a certifying body for auditors.
It will also manage the exception process and process applications for Gold
Certificate status. That sounds like a lot of work and a lot of
coordination. I think OWASP has done some great stuff, but it hasn't done
anything even close to this before. Further, these kinds of activities are
typically not the kinds of things that loosely coupled volunteer-driven
organizations excel at.
- I think I'd benefit a lot from more examples in the document. I can see
that it's part of your plan to add some, so I suppose I'm just voting for
doing those sooner rather than later.
Looking over my notes, my over-all suggestion is that you reduce the scope
of this initial effort. Establishing the long term vision is important, but
revealing the path that will get us started is perhaps equally important.
From: Mark Curphey <mark at curphey.com>
Reply-To: <owasp-webcert at lists.owasp.org>
Date: Sun, 5 Aug 2007 09:11:25 -0700
To: <owasp-webcert at lists.owasp.org>
Conversation: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Subject: [Owasp-webcert] OWASP Evaluation and Certification Criteria
For those that want to see some progress attached is the latest draft.
1. Remember the idea is to build a template from which we can derive
individual Evaluation and Certification Criteria or indeed a complete
scheme. What you see is the template from which we will "configure" a
reference implementation. This approach is scalable and I have heard from a
few of you off-line that you really like this and a few banks plan to adopt
it which is great news! This will allow Big Co X or Big Co Y to choose their
password quality or link to their own secure code standards without being
constrained by a generic lowest common denominator approach but agreeing on
the big ticket items. The idea is not to cover every possible thing.
2. Authorization - I need some help with this. What do we need to define
I plan to complete the Process and People parts tomorrow and then configure
the reference implementation. This will be the one with tangible values and
not the cut and paste <insert here>.
Please don't waste time on detailed feedback (especially for grammar) BUT I
would like commentary and feedback on the topics included in Technology and
Process. Are there any missing?
Note: This has highlighted that there is a need for a great deal of
supporting material such as secure coding standards and detailed How To Test
for specific issues. This is both an issue and an opportunity for OWASP to
pull together various projects in a cohesive way.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-webcert