Industry:ICO Data Sharing CoP

De OWASP
Saltar a: navegación, buscar


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name ICO Data Sharing CoP
Short Description Provide response to "Data Sharing Code of Practice Consultation"
Related Projects None
Email Contacts & Roles Primary
Colin Watson
Secondary
Alexander Fry
Mailing list
Please use the Industry Committee list
ACTIVITY SPECIFICS
Objectives
  • Review CoP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • 15 Oct 2010 - Complete first draft response
  • 25 Oct 2010 - Circulate to OWASP UK chapters and GIC mailing lists
  • 30 Oct 2010 - Prepare final version
  • 24 Dec 2010 - Submit to ICO
Status
  • Closed
Resources Consultation document

Consultation questions

Press release

Response submission by email to consultations@ico.gsi.gov.uk by 5th January 2011


Submission Response

Latest first


Final version

File:Owasp-ico-data-sharing-cop-consultation-response-1.pdf


Draft Text version 1

Introduction

This official response has been submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee, following our own consultation process.

Response

The OWASP response only replies to two questions.

6. Is the code relevant to the types of data sharing your organisation is involved in? If not, which additional areas should we cover?

In "Technical Security" on page 15, there is no mention of websites, yet these are one of the common channels that lead to personal data breaches. Our suggestion is to add an item: "If personal data is collected or processed using a web site or mobile application, have the most common security risks been identified, removed or mitigated?"

This could reference as footnotes, or in other supporting materials, the following free guidance documents:

10. Is there anything else you think the code should cover or are there any other ways in which you think the code could be improved?

In "technical security" on page 15, we believe "is your information encrypted" is too simplistic. Many difficulties exist in implementing encryption properly and problems can be introduced in unexpected ways. Whilst we understand this document cannot provide all the detail required, a better question would be "How is encryption implemented and managed?"

On page 17 in the discussion of data standards, non-Latin characters are mentioned, but the more generic issues of encoding (e.g. UTF-8) and escaping are not. These are significant factors in successful data sharing and for ensuring the integrity of the data once it has been exported from one system and imported into another. If not properly defined and implemented, data that is safe in one system might actively exploit a weakness in another leading to data loss, destruction, etc (e.g. by SQL injection). Our suggestion is to add after "capabilities of its system.", a new sentence "Ensure the data are correctly encoded and escaped when output so they can safely be used by the receiving system.".

About OWASP

to be added in final draft


Return to Global Industry Committee