[Owasp-webcert] OWASP Evaluation and Certification Criteria

Brian Chess brian at fortifysoftware.com
Fri Aug 10 10:53:12 EDT 2007

Are there lessons from your CC experience that seem relevant here?  Either
things that worked pretty well that we should seek to emulate or pitfalls we
have to avoid?


From: Jeff Williams <jeff.williams at owasp.org>
Organization: The OWASP Foundation
Reply-To: <jeff.williams at owasp.org>, <owasp-webcert at lists.owasp.org>
Date: Wed, 8 Aug 2007 23:03:02 -0700
To: <owasp-webcert at lists.owasp.org>
Conversation: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria

When the criteria and evaluation scheme get to the point  where we need to
certify auditors, the OWASP Foundation can hire people to do that.  We don¹t
need to make a lot of money from the service, so the costs to the auditing
organizations just need to cover our expenses.  FYI, at Arca, Dave and I
helped to create the first TTAP Lab (which became a CC Lab after we helped
get the CC established).


From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Brian Chess
Sent: Wednesday, August 08, 2007 4:17 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Hi Mark,
I like the direction you¹re headed, and I hope to make use of the final
result.  At the same time, I¹m not sure I completely understand all of what
you¹re driving at, so perhaps some of the following criticism stems from my
lack of understanding.  If that¹s the case, then maybe I¹m just pointing out
places where the document is open to misinterpretation.

Here goes:

- Would E-bay be adequately secure if it complied with the extended
criteria?  Since the criteria don¹t say anything about what¹s required to
run a fair and legal auction, I have to think E-Bay needs to do more than
you specify.  For that reason, it seems like you¹re defining a minimum set
of requirements.  Auditors and security-conscious organizations might like
to extend that set with their own more specific requirements, in which case
there will be a lot of value in the format you define in addition to the
security requirements you establish.

- At the same time, it is feasible that an application need not meet all of
the specified criteria in order to be adequately secure.  (Do I need SSL if
the application can only be accessed through a VPN?)  For this reason, I can
imagine that people would want to say ³I¹m compliant with the OWASP basic
requirements minus the following set (x, y, z).²  This is where specs like
PCI get kind of fuzzy, but without some way to specify a set of security
requirements, people are likely to throw up their hands and say ³that OWASP
thing just doesn¹t apply to me.²   I could imagine defining something along
the lines of a CC protection profile and then trying to popularize a small
number of profiles.  Essentially you¹ve already started to do that by
defining ³basic² and ³extended².

- From the sound of it, OWASP is going to be a certifying body for auditors.
It will also manage the exception process and process applications for Gold
Certificate status.  That sounds like a lot of work and a lot of
coordination.  I think OWASP has done some great stuff, but it hasn¹t done
anything even close to this before.  Further, these kinds of activities are
typically not the kinds of things that loosely coupled volunteer-driven
organizations excel at.
- I think I¹d benefit a lot from more examples in the document.  I can see
that it¹s part of your plan to add some, so I suppose I¹m just voting for
doing those sooner rather than later.

Looking over my notes, my over-all suggestion is that you reduce the scope
of this initial effort.  Establishing the long term vision is important, but
revealing the path that will get us started is perhaps equally important.


From: Mark Curphey <mark at curphey.com>
Reply-To: <owasp-webcert at lists.owasp.org>
Date: Sun, 5 Aug 2007 09:11:25 -0700
To: <owasp-webcert at lists.owasp.org>
Conversation: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Subject: [Owasp-webcert] OWASP Evaluation and Certification Criteria

For those that want to see some progress attached is the latest draft.

1. Remember the idea is to build a template from which we can derive
individual Evaluation and Certification Criteria or indeed a complete
scheme. What you see is the template from which we will "configure" a
reference implementation. This approach is scalable and I have heard from a
few of you off-line that you really like this and a few banks plan to adopt
it which is great news! This will allow Big Co X or Big Co Y to choose their
password quality or link to their own secure code standards without being
constrained by a generic lowest common denominator approach but agreeing on
the big ticket items. The idea is not to cover every possible thing.

2. Authorization - I need some help with this. What do we need to define

I plan to complete the Process and People parts tomorrow and then configure
the reference implementation. This will be the one with tangible values and
not the cut and paste <insert here>.

Please don't waste time on detailed feedback (especially for grammar) BUT I
would like commentary and feedback on the topics included in Technology and
Process. Are there any missing?

Note: This has highlighted that there is a need for a great deal of
supporting material such as secure coding standards and detailed How To Test
for specific issues. This is both an issue and an opportunity for OWASP to
pull together various projects in a cohesive way.

Owasp-webcert mailing list
Owasp-webcert at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070810/3cb8a664/attachment.html 

More information about the Owasp-webcert mailing list