OWASP Brasil Manifesto/en

=Web Security - A Window of Opportunity= An open letter from OWASP Brazil to the Brazilian Government

Executive Summary
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.

The recommendations are divided according to the focus of each agency:
 * legislators
 * consumer protection bodies
 * control and audit bodies
 * teaching and research entities
 * all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers�.

Web Insecurity
The Internet is now a reality in the lives of most people, as shown by the statistics of numbers of users. IBGE in 2009 indicated that 27.4% of Brazilian households had Internet access and 67.9 million people were users of Internet in the sameyear#.The surveys also indicate a rapid growth in the number of Internet users, with an increase of 112.9% between 2005 and 2009.

The Internet access methods also have diversified and now include everything from traditional telecenters and cybercafes to access via the cellular, as well as dialup and broadband. Thus, the range of users going from the casual user who accesses from a public computer to "always connected" users, accessing the computer or cell phone at all times and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, today is very difficult to find any organization that does not rely on the Internet in some way. With the advent of electronic invoice, the Internet gains even greater importance in day-to-day business.

Also, the Brazilian government has invested in the use of e-gov strategies, or electronic government, which consist in providing services to the population via the Internet. The most important example in this area is, without doubt, the Income Tax of Individuals, who in 2011 started to be accepted only in electronic format. Another example is the large-scale SISU - Unified Selection System of the Ministry of Education. Other services, while not available on the Internet, have similar characteristics and have the potential to stop the country as the Brazilian Payment System (SPB), maintained by the Central Bank.

The Judiciary also strides in its computerization and uses of the Internet to provide services to citizens. Examples are the widespread use of electronic processes# and judicial process monitoring over the web. Many courts are studying ways to enable joining documents and the opening of proceedings by electronic means, especially via the Internet.

In the aspect of communications, the Internet is also incorporated and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most of the population as tools for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of users of the network.

Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population.

The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran,# IRPF,SISU).#

CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years.

The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.

Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.

�The OWASP Project
The OWASP (Open Web Application Security Project)# is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe, with six of them in Brazil, that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security.

OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-efective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using free software licenses or Creative#Commons.

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

What can be done?
Given the importance of the topic, it is imperative that the Brazilian government acts to develop a market capable of producing software with a level of security appropriate to its usage and the criticality of information being processed or stored. Below, we list some recommendations of what can be done to improve the outlook for security software in Brazil.

We believe that the actions proposed here have the potential to improve the security of the systems used by millions of people and also to promote a thriving industry able to put Brazil among the world leaders, creating prosperity for the country.

For legislators
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that exists today in the Internet. It is necessary that the government acts to create incentives for the adoption of safe practices in systems development and for making accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

Allow and encourage research on cyber attacks and defenses
The punishments to criminals are badly needed and the position taken by OWASP is not the creation of mechanisms for protection of activities that are illegal or harmful to society. However, OWASP realize that some initiatives to legislate on electronic crimes may also hamper legitimate activities and the research necessary for correctly addressing security vulnerabilities.

We believe that the legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

Require the publication of safety assessments
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange of information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

Create an agency to address the aspects of disclosure of security flaws
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

Require compliance with minimum security requirements in government contracts
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protection in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.

Making accountable organizations do not deal expeditiously with the security aspects of applications
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be objective and solidarily liable, similar to what defines the Code of Consumer Protection.

Require that the government have access to security updates for any software during its lifetime
It is imperative that the systems used by public agencies updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

Require open sourcing of applications used by the government and whose lifetime has expired
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been abandoned by but manufacturers but that meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

Eliminate software licenses which exempt manufacturers from liability for the security of their products
Many of the currently used software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to escape liability for the safety of products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the price paid by the system.

For consumer protection agencies
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, the agencies of consumer protection can and should act to improve the security landscape for consumers.

We suggest the following actions:

Act to restrict the use of abusive software licenses
This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

Require manufacturers to disclose understandable information on the security level of their products or services
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, the consumer has a right to know about the characteristics and level of security provided by computer systems it uses.

It is imperative to create a system that allows consumers to check the level of security provided as part of your buying decision making process. Such a system would reduce the perverse externalities of the software market and create incentives for producers of software to enhance the security of their products, and also abides to the Consumer Protection Code which, in its art.#31,determines that offers of goods or services must provide information about the risks posed to the security of consumers.

Require an adequate level of security for systems that deal with data that may affect the privacy of consumers or citizens
Many organizations collect data from their clients during their business relationships, but do not always protect data adequately. This requires the definition of minimum procedures for protection of information collected from consumers and the accountability of public or private organizations that do not adequately protect the information. The leaks of personal information should be punishable and should be widely disseminated. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.

Define that consumers should be informed of the possible uses of the data entered into systems or sites
Not only organizations must protect the data we collect from consumers, but consumers should know all the possible uses of information collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data collected, including future uses. Any change in policy on the database must be informed in advance and explicitly accepted by consumers.

Establish security awareness campaigns for consumers
In addition to actions that require software makers to act responsibly toward consumers, it is also important to empower users of computer systems from the risks of using these systems.

Just as it is important to conduct awareness campaigns for traffic safety or control of diseases such as dengue, it is important to educate Internet users about the risks and attitudes that come from a increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.

For oversight agencies
Auditing bodies can and should demand from sectors that they govern the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in systems development. Thus, the suggested actions are:

Clarify responsibilities with regard to security aspects of applications
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

Verify and audit to ensure that appropriate safety practices are adopted
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the systems of the auditees.

There are some models that can guide the practices of system security audit such as the SSE-CMM (Systems Security Engineering Capability Maturity Model)# or the OWASP ASVS (Application Security Verification Standard.)#

Insert the security aspects of applications in its regulations and / or sectorial recommendations
Many agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

Facilitate the creation of an insurance market for security applications
As accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces incentives for organizations to increase their security level.

Requiring the use of encrypted connections (SSL) for web applications
Many attacks exist today are only possible because some organizations do not use even the security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers in the system safely, ensuring the confidentiality and authenticity of information.

Thus, a simple and effective measure to improve safety web systems is to require that data be transmitted securely over the Internet.

For research and teaching agencies
Training manpower is essential to move the country forward in an area closely linked to technology. To have an application security booming market, it is necessary to train an adequate contingent of experts in both the attack and defense aspects. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to devise new techniques and methodologies that advance this field of knowledge. An interaction of educational institutions and research with industry for the transfer of technologies and productization is also needed.

The suggested actions for education and research are:

Inclusion of best practices for application security in course contents
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in the university training is the best way of achieving this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networking or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

Definition of advanced courses for training of manpower in the area
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and generate wealth for the country.

To promote and fund research into Application Security
Generating knowledge in the field is also essential for the country to take the world leadership in application security. And the only way to increase the generation of knowledge is to promote and fund research in the area, whether undertaken by public or private institutions. The promotion of knowledge and technology generation in business is critical to the creation of a market of application security products in the country and its ability to create advanced and innovative technologies.

To promote the training of professionals capable of acting with ethics and resposability
The whole process of training undergraduates and researchers should prioritize the responsability and ethical aspects of security. The ethics training must be an essential part of training these professionals.

For all public agencies
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.

The suggested actions for all public bodies are:

Financing validations and security fixes for open source systems
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential for these organizations that these open source systems are secure and reliable. Public agencies should invest in security assessments of open source systems they adopt, in the correction of security flaws found and in and responsible disclosure of flaws as well as corrections.

Thus, public agencies can provide a service to society from the improved security of their own systems and third party systems.

Promote the use of technologies and methodologies for application security
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

Promote and enable security testing responsibly but openly
Security tests are a major tool for find security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and repair them as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital netherworlds.

Promote awareness and training of managers for the challenges of web security
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government body. It is therefore important that managers of all agencies to participate in training and awareness sessions in this regard.

The Information Security Department of the Security Cabinet of the Presidency has done an excellent job of raising awareness of federal civil servants and this work should be valued and taken to the state and municipal levels.

Competitive advantages for Brazil
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, Brazil has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of professionals trained in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare. The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the technological capacity of the country.

The improvement of the online business environment tends to improve the country's image overseas, so that Brazil begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.�

How can OWASP help?
OWASP is an international community and brings together leading experts on the subject worldwide, plus a good amount of Brazilian experts, including civil servants. All materials and systems developed by the OWASP are freely available to the Brazilian government to use as it deems most appropriate and the community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by the OWASP can be translated into Portuguese in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of Brazilian documents in line with best international practice.

Brazilian experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.