KBAPM Meeting Notes

KBAPMP Meeting Notes 20150112
KBAPMP Meeting Notes January 12, 2015

Attending: Ann Racuya-Robbins Donald Gooden Noreen Whysel Bev Corwin Laureano Batista

Luis Enriquez is traveling.

AGENDA:

Welcome

Discussions: IDESG KBAPM Project Responses Draft Project Policies Update

Ongoing: Discuss and Document Tools/Ways Update Information Management Update Blog Article Update Application to Conference in Amsterdam Update https://2015.appsec.eu/call-for-papers/ https://2015.appsec.eu/call-for-research/

Take aways: Tasks Schedule next meeting Adjourn

WHERE GoToMeeting https://www3.gotomeeting.com/join/642177878 Access Code: 642-177-878

Review response from IDESG (ARR)

Cathy Tilton sent a response from the IDESG Standards Coordination Committee KBAPMP team has added responses to her questions. Laureano suggests that our integration of security, identity and risk are a little weak in our documentation. Needs more structure. Bev: Do we need a taxonomy? Laureano: Metrics - what are you measuring, how do you measure it, where do you get the data? Need to integrate Continuous Improvement. ARR: In NSTIC context, privacy requirements would need to be evaluated, addressed, anticipated. Laureano: Instead of dynamic/static description of KBA, go with 3 layers of KBA (authentication of user, validation/authentication of identity, risk) Donald: Just because it is being used this way (NSTIC) now doesn't mean that it can't change in the future. Focus on NIST/NSTIC requirements (not just IDESG request). Look at old presentations about KBA and newer things to make sure we have covered it all and set marks for the future. Noreen: A document that will continue to evolve as the market place evolves. Laureano: All above was for Luis' eyes. Need input from Luis and rest of the team. Bev: One thing Information Architects do is make the invisible visible. What Laureano is doing helps bring these to the front. IDESG/OASIS and the like are missing this in their approach. Action: ARR, Luis and Bev get on a call with SCC.

Policies (Luis and Laureano)

Laureano redlined/track-changed Luis' document. Action: Will email to ARR.

KBAPMP Meeting Notes 20150105
KBAPMP Meeting Notes January 5, 2015

Attending: Ann Racuya-Robbins Donald Gooden Noreen Whysel Luis Enriquez Laureano Batista

Agenda: Cover Letter and Introduction ARR Question 1 Noreen, Don Question 2 ARR Luis Question 3 Luis ARR Question 4 ARR Luis Question 5 ARR Don Luis Noreen Question 6 ARR Luis Noreen Question 7 ARR Luis Noreen Don Question 8 ARR Noreen Don

Policies for Outreach and Development First Date due Friday Jan 9 COB

Cover Letter and Introduction ARR

Question 1 Noreen, Don Please provide a list and description of completed projects (or their URL) that are in the domain of identity management -Incomplete projects can be provided -NASPO ANSI DHS -OWASP ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project -OWASP Best Practices --ESAPI, SAMM, Top Ten -Map of components of the ASVS standard -Action: Reach out to membership to find developers with identity management expertise and/or standards development expertise.

Question 2 ARR Luis What normative standards has OWASP completed that have been adopted in industry? Have these standards been ratified by organizations accredited by ANSI or ISO, or any other standards organizations? -Perhaps we can get the ASVS team to get the standard under review at ANSI or ISO? -ANSI Accreditation Services: http://www.ansi.org/standards_activities/domestic_programs/overview.aspx?menuid=3 -ARR/Noreen to work on an email -Don to provide links to standards talks/presentations from OWASP -Laureano suggests describing OWASP's project processes up front. -Don: focus on our role as helping to create the standard: strengths in documentation, checklist/benchmarks, publication, global representation; what does OWASP do well, put that in a good light.

Question 3 Luis ARR Can OWASP provide a list of new team members, if any, since submitting the Expression of Interest to the SCC? -Early stages, can request participation from membership

Question 4 ARR Luis Can OWASP provide a project plan/roadmap and approach to complete this work within a reasonable timeframe (< 2 years)? -Yes, last call Luis said six months. -Luis updated the roadmap, now on the KBAPMP home page Next Step: Table of contents. ASVS, SAMM

Question 5 ARR Don Luis Noreen What efforts have been made to attract project contributors with technical expertise in ICAM and KBA, and others with legal background? -Noreen's survey of OWASP members should help with this -legal background might be initiative research. Laureano is a lawyer. -Luis: add that we are seeking support of legal/technical institutes to review and advise.

Question 6 ARR Luis Noreen Since only a limited number of projects are active, and the participation rate seems focused on coding issues, how do proposers intend to activate/energize participation in their project once approved? -Noreen: State that OWASP has an established and proven process for projects and a global membership. Many of our projects are active. Not sure why they say only a "limited number" are active.

Question 7 ARR Luis Noreen Don Is OWASP's project goal to have a completed standard for KBA performance metrics, or input to a potential standard (e.g. studies, best practices)? If input into, have you identified and coordinated with an SDO? -We want to be as useful and constructive as possible whether it is a complete standard or providing help and expertise.

Question 8 ARR Noreen Don Please describe the public review process, including how reviews are performed and how comments are adjudicated. -Link to public review process. -All projects are open, all discussion lists are open, anyone can participate. Project wiki pages, project calls/webinars, code/data repositories, and minutes are publicly available and comments are encouraged.

Publicizing within OWASP: -Connector -owasp-community listserv -Projects team may have additional suggestions -Private repository: Yiannis (yiannis@owasp.org) manages the OWASP GitHub account. Email him to request a new account. -https://www.owasp.org/index.php/Category:OWASP_GitHub https://github.com/OWASP -OWASP also has OpenHub:

KBAPM Meeting Notes 20141208
OWASP KBAPM Call December 8, 2014

Attending: Ann Racuya-Robbins Donald Gooden Noreen Whysel Luis Enriquez Bev Corwin Laureano Batista

Note Taker: Noreen Whysel

Review minutes. Issues regarding mailing list update.

KBA requirements: Ann thinks Brian Lawler's article has good information, appears to be relevant today even though it is a few years old.

GitHub is now available: https://github.com/OWASP/KBAPM -Should have a commit process for KBA deliverables. -Don suggests using Google Docs for Luis' research until reviewed, then post to GitHub.

List of questions from IDESG -http://lists.owasp.org/pipermail/owasp_kbapm_project/2014-December/000007.html -"Man in the Middle" discussion with vendors. Not sure who is the man in the middle. -Come up with questions and sample proposal.

OpenHub -Performance metrics tool -We have a Blackduck OpenHub account set up.

Penetration Testing -What kind of permission do you need to perform a pen test.

Agile Development White House Policy -12 practical policies. -When in doubt, default to transparent and open. Approaching our interactions this way as well. Put it on the vendor to enforce agreements to share data. -NSTIC is a WhiteHouse initiative so makes sense to follow White House Policy.

Heuristics/Taxonomy -Define new words and phrases -Simple searches on terms. -Google doesn't have access to subnets. Will not appear in search results. -Ann understanding is that OWASP has a Google account for Gmail, calendar, documents, etc. Does this give them access to our accounts? Is it public? -Ann will work with Noreen and OWASP Governance to understand how transparent these services are to Google and to the public. -Luis says it should be OK to keep the documents public. Only people who have edit access can make changes. Can also put these in the GitHub.

KBA Symposium/Lawler from Mitre -Thomas Regan, LexisNexis spoke at the same event; good point of contact

IDESG Questions -Need to know how long it will take to provide answers to questions from IDESG -Is it essential to answer all the questions. -Don suggests using OWASP project to fill in as much as we can from the wiki. -Luis suggest going ahead and answering their questions. We can continue to go ahead with the project even if they don't take us on. Assigned to: Noreen, ARR, Don

2. OWASP Standards -OWASP Application Security Verification Standard -Less focus on Top Ten in our response, popular and gives us authority in the industry. -Open standards: don't need to license it. -What do they mean by ratified? Voted on? Certified? Who uses ASVS? Does ANSI or ISO ratify standards developed by external entities? -ANSI has a standards store that has downloadable standards from various association. Does not appear to be open standards, all appear to have a cost. -NSSN standards search engine Assigned to Luis, ARR

3. New team members, yes we do have new members, need to sort out communications processes. Reach out to KBA and OWASP community. wait to send a list until we see if new people come on board. Assigned to: TBA

4. Roadmap within 2 years is doable? Depends on whether we are creating standards or best practices. Luis thinks incubator projects should las no more than one year. Assigned to ARR

5. ICAM/KBA Subject Matter Experts -Ann will reach out to contact at ICAM: Identity Credential and Access Management (Need Bev's guidance on this one) -Laureano can read laws and advise as things progress, but needs directives- no background knowledge. -Bev suggests recruiting a subject matter expert. Invite NIST people from IDESG to participate and people from the KBA symposium. Don says we need to put policies and procedures in place first. Assigned to Bev & Don

6. Coding Issues: -Recruiting participation -Advertising, branding, marketing Assigned to Luis, Noreen

7. Complete standards or input into potential standard? -Have we identified with a Standards Development Organization or will we develop the complete standard ourselves. -Noreen suggests doing it in phases. Roadmap should cover Phase I: Research, Phase II: Best Practices, Phase III: Standards. We can deliver I and II as open deliverable and if IDESG decides to drop us or drop the project we can at least continue as an OWASP standard. Either way we get to participate and have a solid deliverable towards a NSTIC goal. Assigned to Noreen, Don

8. Public Review Process -Requirement of all standards -Noreen will check to see if ASVS had a public review process. -All OWASP projects are open and public. -Informed by Standards Adoption Policy; Ann will post to GitHub. Assigned to Ann, Noreen

Outreach to providers: -Policy for outreach and development -Invitation to KBA providers to participate in penetration testing -Complete by January 15, 2015

Project Overview -Laureano suggest tightening up the project description and goals. -Complete by January 15, 2015

Policies: -Not IDESG's position to evaluate other organizations, but they seem to be evaluating OWASP but not "evaluating" OASIS. -SAP: evaluating deliverables. Need clarification from IDESG whether the intent is to evaluate the organization or the standards. -Ann and Noreen to add request for clarification. Bev suggests attending Thurs AM standards meetings.

Adjourn 12:32ET.

KBAPM Meeting Notes 20141201
OWASP KBAPM Call December 1, 2014

Attending: Bev Corwin Ann Racuya-Robbins Laureano Batista Luis Enriquez Noreen Whysel Donald Gooden

Note Taker: Noreen Whysel

Bev: to write up approach to conflict situations. "No man in the middle" approach: connects people in situation without formal mediation. Let them talk it out as much as possible, give them responsibility for disclosure of intellectual property.

Agreed that: We will not sign onto non-disclosure agreements with vendors to understand their KBA processes.

Ann: Added an outline to the OWASP KBAPM project page. Advantage to following open OWASP protocols including using versioning and having commit privileges, etc.

Energetics.com: Develops codes and standards. Review Metrics and Evaluation and see what we can use of their thought processes/outlines for creating standards.

Luis: confirmed we have a GitHub at OWASP. Ann suggests also looking at OpenHub. Bev suggests advantage of GitHub is people will likely find us.

Ann will send out link to website whenever there is a significant change to the structure.

Penetration testing. Is it ethical? Luis: if you have permission, it should be OK. Bev: need to be sure it is legal, may require an agreement/formal permission to test KBA. Use OWASP methodologies, procedures and testing tools. Luis: Intellectual property rights is an issue. May not be able to publish results.

Task: develop tasks for seeking an agreement with vendors. Is there a boilerplate? Needs to allow us to access information and publish results?

Luis: IDology: Enhanced KBA. Uses information already collected on customers to authenticate identity. Provide documentation, video, image.

Bev: Virtual Self: create a virtual avatar that is different from your actual self. Now we have real name policies and can't do it as much.

Laureano: Google: uses google ecosystem, need to sign out while you are on the same browser or associate the accounts, which means they know it is you.

Bev: Can also be an issue when you are doing business in more than one state. Google doesn't have access to subnets.

Laureano: B2C paradigm: Authenticate users, i.e., what is the mechanics/structure of authentication from the business' perspective? Given ethical/legal restraints, we will not be able to access their metrics. We can only ask. Need two different identifications: authentication of identity who owns the account and identity verification of the user. Are they asking ethical question about what they are doing with identity information? What is robust, what isn't? How much burden are we placing on user? Does that affect sales? risk/reward on cost of business metric drives KBA forward. More important in health and finance than in social media?

Bev: need to examine public versus private personas. And how to protect privacy when it is stripped by ToC. Personal vs corporate vs government.

Don: Looking for performance metrics. QUestins/responses/uses.

Noreen: We are creating standards, not setting policy or taking a political stance, but understanding the environment and legal constraints. Standard should have some flexibility to address changes in the environment but I don't think we can set policy.

Ann: What body of law governs KBA in EU?

Luis: IFROS European Court of Justica Privacy, Asia. Main problem with dynamic KBA is some EU jurisdictions don't allow it. EC Secondary Source Law. Rule may not always be the same depending on local government.

Laureano: Forward facing nature. Bev: Look at what the gaps are, future direction/momentum.

Don: Brian Lawler, authored, National Standards: Models of Knowledge based Authentication (KBA Symposium) http://csrc.nist.gov/archive/kba/agenda.html

Task: Need a clear set of questions for ID.

Update on IDESG Concern about subject matter expertise and having enough people Need to bring in someone from NIST, like Jim, need a big name. Timeline: 2 year commitment. Bev: caution that there could be discriminatory policies or exclusion. We want to avoid this. Noreen: IDESG's timeline and the standards deliverable need to be open to changing KBA landscape. A lot will change in two years.

Adjourn 12:32ET.