[Owasp_top_10_privacy_risks_project] Owasp_top_10_privacy_risks_project Digest, Vol 4, Issue 1

Frank LeSieur mail at lesieurlaw.com
Sun Nov 2 14:52:30 UTC 2014


Thanks for all the excellent information. I have been passively following
all developments with a high level of interest.  Great job.

On 2014-11-02, 8:00 AM,
"owasp_top_10_privacy_risks_project-request at lists.owasp.org"
<owasp_top_10_privacy_risks_project-request at lists.owasp.org> wrote:

>Send Owasp_top_10_privacy_risks_project mailing list submissions to
>	owasp_top_10_privacy_risks_project at lists.owasp.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_proje
>ct
>
>or, via email, send a message with subject or body 'help' to
>	owasp_top_10_privacy_risks_project-request at lists.owasp.org
>
>You can reach the person managing the list at
>	owasp_top_10_privacy_risks_project-owner at lists.owasp.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Owasp_top_10_privacy_risks_project digest..."
>
>
>Today's Topics:
>
>   1. Re: OWASP Top 10 Privacy Risks presented at IPEN in Berlin /
>      Description available (Colin Watson)
>   2. Re: OWASP Top 10 Privacy Risks presented at IPEN in Berlin /
>      Description available (Lukasz Olejnik)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Sat, 1 Nov 2014 12:00:07 +0000
>From: Colin Watson <colin.watson at owasp.org>
>To: Florian Stahl <florian.stahl at owasp.org>
>Cc: owasp_top_10_privacy_risks_project at lists.owasp.org
>Subject: Re: [Owasp_top_10_privacy_risks_project] OWASP Top 10 Privacy
>	Risks presented at IPEN in Berlin / Description available
>Message-ID:
>	<CAAxdBBnBCpHnQ5SToZyGvSmWJMLp5nQDJUkjkS=0B42uApDv4Q at mail.gmail.com>
>Content-Type: text/plain; charset=UTF-8
>
>Florian
>
>Congratulation on the recent activities.
>
>Thank you for the additional explanation about P6.
>
>P9/P10
>======
>
>But I was also wondering about P9 and P10:
>
>   P9   - Missing or insufficient Session Expiration
>   P10 - Insecure Data Transfer
>
>Aren't these already part of "P1 - Web Application Vulnerabilities"
>which is described as "his risk also encompasses the OWASP Top 10 List
>of web application vulnerabilities and the risks resulting from
>them.".  If not, how are P9 and P10 different please?
>
>
>Project Name/Label
>===============
>
>This is web application privacy risks. Could there be a mobile app
>version too? I wonder if it is different?
>
>
>Use of OWASP Mailing List
>=====================
>
>CCing this to the project mailing list, as the original message wasn't
>sent there.
>
>Also, I asked a question on the mailing list in August:
>
>   
>http://lists.owasp.org/pipermail/owasp_top_10_privacy_risks_project/2014-A
>ugust/000002.html
>
>It was never replied to. I don't mind being ignored ;-) but wondered
>is there some other place we are meant to contribute and share (e.g.
>ZAP uses a Google Group)?  If so, can you set an auto-responder on the
>OWASP mailing list to say it is not used please.
>
>
>Regards
>
>Colin
>
>On 1 November 2014 08:25, Florian Stahl <florian.stahl at owasp.org> wrote:
>> Dear members of the OWASP Top 10 Privacy Risks project,
>>
>> I just want to inform you about recent activities:
>>
>> The initial presentation of our Top 10 Privacy Risks took place at the
>>first
>> IPEN workshop in Berlin. Read about it in the IAPP blog
>> We created a description of our Top 10 Risks. Thanks to Lukasz Olejnik
>>from
>> Inria Privatics and Tim Gough from the Guardian for their support. Feel
>>free
>> to send feedback.
>> We updated the title of P6 (former Collection of data not required for
>>the
>> user-consented purpose) to "Collection of data not required for primary
>> purpose" for better understanding and improved English.
>> Now we aim to reach the status of an OWASP Lab project which represents
>> projects that have produced an OWASP reviewed deliverable of value
>>
>> Next presentations of our project will be on 9 December at the German
>>OWASP
>> Day in Hamburg and at the IAPP Global Privacy Summit in Washington DC
>>(4-6
>> March 2015). Let me know if you will be there.
>>
>> Have a good weekend,
>> Florian
>>
>> --
>>
>> Project Leader OWASP Top 10 Privacy Risks
>> Lead Consultant msg systems
>> Munich / Germany
>>
>> Project: 
>>https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
>> Company: www.msg-systems.com
>> Blog: www.securitybydesign.de
>>
>>
>
>
>------------------------------
>
>Message: 2
>Date: Sat, 1 Nov 2014 17:09:45 +0100 (CET)
>From: Lukasz Olejnik <lukasz.olejnik at inria.fr>
>To: Colin Watson <colin.watson at owasp.org>
>Cc: owasp top 10 privacy risks project
>	<owasp_top_10_privacy_risks_project at lists.owasp.org>,	Florian Stahl
>	<florian.stahl at owasp.org>
>Subject: Re: [Owasp_top_10_privacy_risks_project] OWASP Top 10 Privacy
>	Risks presented at IPEN in Berlin / Description available
>Message-ID: <948777361.6625428.1414858185832.JavaMail.zimbra at inria.fr>
>Content-Type: text/plain; charset=ISO-8859-1
>
>Dear Colin,
>
>I will took the privilege and answer some of the  concerns.
>
>Privacy problems are often interwinded.
>
>P9 is slightly different from P1. P1 refers to insecurity and is more
>general. However, P9 allows the collection (aggregation) of user data for
>a potential later use and is not strictly related to security. My
>understanding is that in a survey, people addressed some past media
>coverage of these kind of problems. I respect the opinion from the
>survey, although I am not fully sure if having this particular problem as
>a separate number on the list is truly justified. That said, it's good we
>have at least some "mediums" ;)
>
>That said, I extensively discussed overlaps with Florian, as there appear
>to be some more evident examples (e.g. P4 and P8 are somewhat redundant
>and could be simplified in one point, same for P10 and P1
>["insecurity"]). As said, we did discuss it with Florian and agreed that
>any changes at this point are possible, but in the next revision of the
>list (update). In this case I am looking forward to working on that.
>
>Best,
>Lukasz
>
>
>
>----- Original Message -----
>> From: "Colin Watson" <colin.watson at owasp.org>
>> To: "Florian Stahl" <florian.stahl at owasp.org>
>> Cc: "owasp top 10 privacy risks project"
>><owasp_top_10_privacy_risks_project at lists.owasp.org>
>> Sent: Saturday, 1 November, 2014 1:00:07 PM
>> Subject: Re: [Owasp_top_10_privacy_risks_project] OWASP Top 10 Privacy
>>Risks presented at IPEN in Berlin /
>> Description available
>> 
>> Florian
>> 
>> Congratulation on the recent activities.
>> 
>> Thank you for the additional explanation about P6.
>> 
>> P9/P10
>> ======
>> 
>> But I was also wondering about P9 and P10:
>> 
>>    P9   - Missing or insufficient Session Expiration
>>    P10 - Insecure Data Transfer
>> 
>> Aren't these already part of "P1 - Web Application Vulnerabilities"
>> which is described as "his risk also encompasses the OWASP Top 10 List
>> of web application vulnerabilities and the risks resulting from
>> them.".  If not, how are P9 and P10 different please?
>> 
>> 
>> Project Name/Label
>> ===============
>> 
>> This is web application privacy risks. Could there be a mobile app
>> version too? I wonder if it is different?
>> 
>> 
>> Use of OWASP Mailing List
>> =====================
>> 
>> CCing this to the project mailing list, as the original message wasn't
>> sent there.
>> 
>> Also, I asked a question on the mailing list in August:
>> 
>>    
>>http://lists.owasp.org/pipermail/owasp_top_10_privacy_risks_project/2014-
>>August/000002.html
>> 
>> It was never replied to. I don't mind being ignored ;-) but wondered
>> is there some other place we are meant to contribute and share (e.g.
>> ZAP uses a Google Group)?  If so, can you set an auto-responder on the
>> OWASP mailing list to say it is not used please.
>> 
>> 
>> Regards
>> 
>> Colin
>> 
>> On 1 November 2014 08:25, Florian Stahl <florian.stahl at owasp.org> wrote:
>> > Dear members of the OWASP Top 10 Privacy Risks project,
>> >
>> > I just want to inform you about recent activities:
>> >
>> > The initial presentation of our Top 10 Privacy Risks took place at the
>> > first
>> > IPEN workshop in Berlin. Read about it in the IAPP blog
>> > We created a description of our Top 10 Risks. Thanks to Lukasz
>>Olejnik from
>> > Inria Privatics and Tim Gough from the Guardian for their support.
>>Feel
>> > free
>> > to send feedback.
>> > We updated the title of P6 (former Collection of data not required
>>for the
>> > user-consented purpose) to "Collection of data not required for
>>primary
>> > purpose" for better understanding and improved English.
>> > Now we aim to reach the status of an OWASP Lab project which
>>represents
>> > projects that have produced an OWASP reviewed deliverable of value
>> >
>> > Next presentations of our project will be on 9 December at the German
>>OWASP
>> > Day in Hamburg and at the IAPP Global Privacy Summit in Washington DC
>>(4-6
>> > March 2015). Let me know if you will be there.
>> >
>> > Have a good weekend,
>> > Florian
>> >
>> > --
>> >
>> > Project Leader OWASP Top 10 Privacy Risks
>> > Lead Consultant msg systems
>> > Munich / Germany
>> >
>> > Project: 
>>https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
>> > Company: www.msg-systems.com
>> > Blog: www.securitybydesign.de
>> >
>> >
>> _______________________________________________
>> Owasp_top_10_privacy_risks_project mailing list
>> Owasp_top_10_privacy_risks_project at lists.owasp.org
>> 
>>https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_proje
>>ct
>> 
>
>
>------------------------------
>
>_______________________________________________
>Owasp_top_10_privacy_risks_project mailing list
>Owasp_top_10_privacy_risks_project at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_projec
>t
>
>
>End of Owasp_top_10_privacy_risks_project Digest, Vol 4, Issue 1
>****************************************************************




More information about the Owasp_top_10_privacy_risks_project mailing list