Industry:Digital Britain Interim Report

Return to Global Industry Committee

The OWASP Global Industry will be submitting a response on behalf of OWASP to the interim Digital Britain report:

What's it about? An action plan to secure the UK's place at the forefront of innovation, investment and quality in the digital and communications industries. Why is this relevant to OWASP? The terms of reference for the report include:

Empowered and informed consumers and citizens fully equipped to take advantage of the opportunities convergence brings.

Internet: looking at a range of issues affecting internet users, such as user security and safety and a workable approach to promoting content standards.

and from the interim report:

We need to ensure that UK internet users can operate with security and confidence.

but the principles list only relate to privacy, personally identifiable information and illegal material.

In particular we would like to provide input to section 5.3 Online Safeguards. Our drafts have been created in conjunction with members of the London and Scotland chapters mailing lists and draw heavily on information already published on the OWASP website. However, the language and focus relate specifically to the context of the report. For example, we have avoided using the word "vulnerability" since "vulnerable groups" is currently heavily used in the document, and use "defects" instead. OWASP is referred to in the third person, and "we" and "our" are reserved for society in general.

Further comments are welcome up until submission last thing on 11th March 2007 (GMT).

Submission Response
Latest first

Final version
Final version uploaded 11th March 2009

Text version:

Open Web Application Security Project (OWASP) Contribution to Digital Britain Report
The UK Government has commissioned a report on Digital Britain concerning how to place Britain at the forefront of the global digital economy. The report's Steering Board is drawing on expertise from across Government, industry and regulators and has invited further contributions since publication of the interim report on January 29th 2009. The Open Web Application Security Project (OWASP)1 has created this submission as a contribution to the report. It has been co-ordinated by OWASP's Global Industry Committee2 in consultation with OWASP's UK chapters in London3 and Scotland4.

Discussion
Introduction -

OWASP believes good application security is vital to underpin the digital economy and safeguard users.

Fraud

UK Credit and Debit Card fraud is a prime “growth industry” for criminals; up 26% in 2007 (stats for 2008 not out yet)5. There is evidence too of a move away from cardholder present fraud, to more internet-based attacks—the main growth being in card-not-present (CNP) fraud, up 37% in 20076. With the introduction of chip and pin in 2006, there has been a further shift in criminals’ focus towards transactions where the cardholder is not present; specifically online. This, coupled with the increasing amount of banking and commerce conducted electronically means that the need for secure web applications is greater than ever.

Malware

Distribution of malicious code including viruses, worms, Trojans and spyware, collectively known as malware, used to be mainly undertaken through electronic mail. Spyware and phishing attacks are increasing in particular7. It is clear that these attacks are now motivated by monetary gain via an underground economy and criminal organisations8.

Attacks against applications (e.g. websites and web applications) are the main area in which these sort of attacks are now being carried out9. To counter this, it is crucial that future applications are designed with the most common risks in mind.

Data Loss ---

The protection of personally identifiable information, intellectual property and business information is a concern of most organisations, families and individuals. But there are now new ways for information loss, including theft, to occur through digitally connected networks. Web applications are being used to provide access to data that until recently would have been located only deep within an organisation's security perimeter. Now data has effectively been moved outside these defences and is no longer provided adequate protection. It is very difficult to make web applications completely secure, but the many incidents documented illustrate that they are not nearly secure enough10.

Infrastructure --

Cyberspace and physical space are increasingly intertwined; physical systems are increasingly controlled or enabled by software. Applications serve as primary points of entry that attackers may attempt to use to gain access to systems and/or data11. We are relying on digital channels and applications for commercial12 and critical national infrastructure13. The ever-increasing threats to information systems are constantly evolving but reducing defects can prevent or minimise the severity of cyber attacks, and improve the likelihood of successful recovery.

Trust ---

The Internet and other digital channels are fast becoming the one thing we cannot live without. People are relying on the these channels for fun and education;   organisations are relying on these channels to do business; government is engaging with citizens through these channels. But the Internet and other digital channels are insecure. To develop a vibrant digital economy, we need to build trust, and reduce distrust14. Without public confidence in the digital systems and processes, our own economic development in these areas will be stifled.

Most computer systems have defects and those exposed on the Internet and other digital channels are at greater risk of exploitation. This affects the systems, applications, the data and the users themselves. We are reliant on the existence of confidence in these channels—without which the sector could collapse. Countries that can improve the standard of software security, will benefit from increased trust.

Online Protection -

Applications delivered over digital channels (Phone, Internet, TV, etc.) that contain security flaws put the systems, the data, the users at risk.

In order to make Britain the safest place to do business online, our systems and applications must be made more secure. OWASP is working with programming language teams, browser suppliers, framework developers etc. to try to make them more secure by default. But, we need to encourage wider uptake of building security into all stages of the software development process. If Britain can improve the standard of the applications by encouraging secure development practices, rigorous testing and security verification, the digital economy will benefit.

Application security should be approached as a people, process, and technology problem, because the most effective approaches to application security include improvements in all of these areas.

OWASP believes that the development of open standards and guidance is the best way to share knowledge. Organisations that have referenced the defects identified in OWASP's Top Ten Project15 and used the Guide to Building Secure Web Applications16, Code Review Guide17 and Testing Guide18 are using identified good practice to avoid common coding and deployment defects in the software development process.

OWASP members and other contributors are continually updating these guides and developing other tools to help developers, testers, auditors and application owners. They have developed the OWASP Enterprise Security API (ESAPI) Toolkits19 to help software developers guard against security-related design and implementation flaws, by providing ready-built, tested and verified modules for common web programming languages.

Organisations should implement security governance measures such as through the adoption of maturity models like one based on the Software Assurance Maturity Model (SAMM)20. These need to be tailored to the processes and risks facing each organisation. Once applications are developed, OWASP is committed to providing ways to assess and compare the security aspects. An initiative in this area is an open standard that defines ranges in coverage and levels of rigor to perform application security verifications—the Application Security Verification Standard (ASVS)21—which can be used to establish a level of confidence in the security.

Application Security Principles -

Overall, the high level principles OWASP believes to be of importance22 are:


 * Apply defence in depth (complete mediation)
 * Use a positive security model (fail-safe defaults, minimise attack surface)
 * Fail securely
 * Run with least privilege
 * Avoid security by obscurity (open design)
 * Keep security simple (verifiable, economy of mechanism)
 * Detect intrusions (compromise recording)
 * Don’t trust infrastructure
 * Don’t trust services
 * Establish secure defaults (psychological acceptability)

These need to be evaluated and interpreted for each particular application in the context of the business process and with consideration of the types of data being collected, used, stored and transmitted.

Digital Britain Report --

The online safeguards already identified to protect vulnerable groups and provide informed consent for adults are important. Some of the issues relating to vulnerable groups are facilitated through the use of insecure websites, so improvements in application security also have a knock-on effect in these areas.

However fraud, distribution of malware and data loss can affect anyone. We need to encourage all types of organisations in the UK to identify and adopt good information security governance practices, and in particular ensure their applications are built and evaluated with security in mind.

Specific suggested changes and additions to the Interim report
Section 4.2 Driving Universal Connectivity: Take-up --

General

Add a new sentence in the third paragraph after “great content and great services.”: “The content and services must not expose the users, systems and data to un-necessary risk.”.

Action 21

Insert “safe, secure and” before “designed for ease of use”.

Section 5.1 Education and Skills

General

Add a new paragraph after the paragraph relating to the TSB, “Development of digital work-skills requires the appreciation of information security as an aspect underpinning Britain's digital economy. This digital economy relies on trust and the sector can be undermined by lack of security in any part.”.

Section 5.3 Online Safeguards

General

The issues discussed above could contribute to the introduction of section 5.3

Tiers

The suggested four tiers of content and information, should be expanded to five. The extra tier is “material potentially harmful to everyone” that would include the likes of malware and web pages/applications that contain security defects which could allow damage to a user, their systems or their data.

Principles

Add a new bullet point “Secure, trusted digital commerce” to the existing three items.

Supporting Guidelines

Add a new bullet point “a safer online experience through the encouragement and uptake of secure software development practices on which OWASP provides a lead”.

Action Points

The action points will no doubt be reviewed in the light of additional input since publication of the interim report.

A new action point could address the need to encourage the selection and adoption of secure software design, development, testing and verification methodologies, and for Governmental organisations, and others, to require verification of the security of their digital applications. Three government organisations could be of particular importance in this area. The Central Office of Information23 is a key organisation in the research and development of standards for government websites24; the Information Commissioner's Office25 is particularly active in information privacy matters; the Centre for the Protection of National Infrastructure26 provides integrated security advice to the businesses and organisations which make up the UK national infrastructure.

Digital applications found to be lacking in adequate security undermine the confidence in the whole UK digital economy and some of these impact on the robustness of the critical national infrastructure. Encouragement to adopt good application security practices and standards, and incentives to improve security, or reduce defects, would support a safer .UK digital economy.

About OWASP
OWASP is a global open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP builds documents, tools, teaching environments, guidelines, checklists, and other materials to help organisations improve their capability to produce secure code. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

OWASP was formed in 2001, in an entirely organic fashion, when a group of security professionals came to realise how terribly insecure the way we develop our web applications was. The initial goal was deemed to be modest: write a guide for developers, which would document secure software development practices. While the initial effort was meant to last a few weeks, it came out to several hundred pages. When released, the OWASP Guide to Building Secure Web Applications was an instant success.

OWASP is a place where good people gather to help increase the awareness of the web application security problems in applications. It is a grass-roots effort, with the driving force being the people who are dealing with these problems every day, and wanting to lend a hand to change the situation for the better. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.

OWASP has over 130 local chapters around the world including two in the UK.

OWASP's projects are widely referenced. For example, the OWASP Guide to Building Secure Web Applications is referred to in the Payment Card Industry Data Security Standard (PCI DSS)27. OWASP was shortlisted last year for the best security initiative award in Nominet's Best Practice Challenge28.

Draft Text version 2
2nd draft uploaded 9th March 2009:

Draft Text version 1
1st draft uploaded 5th March 2009:

Initial Comments
Key parts of the draft report, which could relate to application security, are:

Page 7 (Box: Five objectives, second item) "A dynamic investment climate for UK digital content, applications and services, that makes the UK an attractive place for both domestic and inward investment in our digital economy".

Page 13 (Equipping everyone to benefit from Digital Britain) Very few action points provided in the draft report compared to other sections. Nothing for 'online safeguards' yet.

Pages 36-38 (3 Digital Content 3.1 The Economies of Digital Content) E-commerce growth figures / commercial challenges. No mention of trust.

Pages 59 and 61 (4.2 Driving Universal Connectivity: Take-up) User demand / Ease of use. No mention of safety/security.

Page 66 (5.2 Media Literacy) "...need to ensure a population that is confident and empowered to access, use and create digital media." Also heavy emphasis on child protection, but not other users.

Page 69 (5.3: Online Safeguards) Whole section is important but currently focuses almost only on illegal and adult content.

Page 74 (Glossary)

Return to Global Industry Committee