Difference between revisions of "Industry:Personal Information Online Code of Practice"

From OWASP
Jump to: navigation, search
(Added text)
(Submission Response: Response added)
Line 54: Line 54:
 
== Submission Response ==
 
== Submission Response ==
  
''Latest first''
+
=== Section 7 - Data protection online ===
  
=== Final version ===
+
==== Question 3 (Are there any other specific issues relating to online security that you think it would be helpful for us to cover in the code?) ====
  
 +
* Ensure that a Secure Development Life Cycle (SDLC) is in place.
 +
* During the analysis phase of the project, perform a threat analysis (or similar) to help determine the security requirements that must be met. The security requirements should cover the following types of issues:
 +
** Security architecture
 +
** Authentication
 +
** Session management
 +
** Access control
 +
** Input validation
 +
** Output encoding/escaping
 +
** Cryptography
 +
** Error handling and logging
 +
** Data protection
 +
** Communication security
 +
** HTTP security
 +
** Security configuration
 +
** Malicious code search
 +
* Secure coding practices should be in place during the development phase. These should reflect common risks such as those described in the OWASP Top Ten.
 +
* The testing phase should include an element of application security testing.
 +
* During the deployment phase the emphasis should be on security hardening of the application, database and infrastructure.
  
=== Draft Text version 2 ===
 
  
  
=== Draft Text version 1 ===
+
=== Section 10 Operating internationally ===
 +
 
 +
==== Question 7 (Are there any other international issues you would like to see covered?) ====
 +
 
 +
The two sections boxed out with bullet point apply equally to design agencies, website developers, web programmers, contractors, hosting companies and other suppliers located in the UK - not just internationally.
 +
 
 +
We recommend adding the following points:
 +
 
 +
* have a risk-based application security programme built into all stages of software (e.g. website) development practices
 +
* ensure all websites and related systems are developed securely to protect against security risks
 +
* build information security and privacy requirements into all contracts and agreements
 +
 
 +
 
 +
=== Section 12 - General consultation questions ===
 +
 
 +
==== Question 16 (Is there any other relevant guidance that we should refer to?) ====
 +
 
 +
We recommend referencing the following OWASP documents relating to the development of secure websites and web services (web applications).  These are all available free of charge on OWASP's wiki and as PDFs, or at cost from an online printer.  OWASP does not endorse commercial products or services.
 +
 
 +
;Software Assurance Maturity Model (SAMM)
 +
:An open framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
 +
:http://www.opensamm.org/
 +
 
 +
;Top Ten, OWASP
 +
:The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
 +
:http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 +
 
 +
;Guide to Building Secure Web Applications, OWASP
 +
:The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.
 +
:http://www.owasp.org/index.php/Category:OWASP_Guide_Project
 +
 
 +
;Code Review Guide, OWASP
 +
:Guidance on identifying security flaws in web application source code.
 +
:http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
 +
 
 +
;Testing Guide, OWASP
 +
:Web application security penetration testing guide describing techniques for testing the most common web application and web service security issues.
 +
:http://www.owasp.org/index.php/Category:OWASP_Testing_Project
 +
 
 +
;Application Security Verification Standard (ASVS), OWASP
 +
:Structured security verification framework for web applications.
 +
:http://www.owasp.org/index.php/ASVS
 +
 
 +
 
 +
 
 +
==== Question 17 (Are there any further comments you wish to make?) ====
 +
 
 +
Response to the ICO on behalf of OWASP
 +
--------------------------------------
 +
 
 +
This is an official response on behalf of the Open Web Application Security Project (OWASP)[1] prepared by UK members of OWASP's Global Industry Committee[2] in consultation with participants in the Leeds[3], London[4] and Scotland[5] chapters.
 +
 
 +
OWASP is pleased the ICO is providing guidance in this manner to UK organisations.
 +
 
 +
About OWASP
 +
-----------
 +
 
 +
OWASP is a global open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP builds documents, tools, teaching environments, guidelines, checklists, and other materials to help organisations improve their capability to produce secure code. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
 +
 
 +
OWASP was formed in 2001, in an entirely organic fashion, when a group of security professionals came to realise how terribly insecure the way we develop our web applications was. The initial goal was deemed to be modest: write a guide for developers, which would document secure software development practices. While the initial effort was meant to last a few weeks, it came out to several hundred pages. When released, the OWASP Guide to Building Secure Web Applications was an instant success.
 +
 
 +
OWASP is a place where good people gather to help increase the awareness of the web application security problems in applications. It is a grass-roots effort, with the driving force being the people who are dealing with these problems every day, and wanting to lend a hand to change the situation for the better. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
 +
 
 +
OWASP has over 130 local chapters around the world including three in the UK.
 +
 
 +
OWASP's projects are widely referenced[6] by national & international legislation, standards, guidelines, committees and industry codes of practice. For example, the OWASP Guide to Building Secure Web Applications[7] and OWASP Top Ten[8] are referred to in the Payment Card Industry Data Security Standard (PCI DSS)[9]. OWASP was shortlisted last year for the best security initiative award in Nominet's Best Practice Challenge[10].
 +
 
 +
OWASP has previously provided responses to DPC BS 8878:2009 on Web Accessibility, the Digital Britain Interim Report, DPC BS 10012, and many draft international standards and guides[11] relating to web application security.
 +
 
 +
References
 +
----------
 +
 
 +
Note: OWASP does not endorse commercial products or services.
 +
 
 +
;1. Open Web Application Security Project (OWASP)
 +
:http://www.owasp.org
 +
 
 +
;2. OWASP Global Industry Committee
 +
:http://www.owasp.org/index.php/Global_Industry_Committee
 +
 
 +
;3. OWASP Leeds Chapter
 +
:http://www.owasp.org/index.php/Leeds_UK
 +
 
 +
;4. OWASP London Chapter
 +
:http://www.owasp.org/index.php/London
 +
 
 +
;5. OWASP Scotland Chapter
 +
:http://www.owasp.org/index.php/Scotland
 +
 
 +
;6. OWASP Citations
 +
:http://www.owasp.org/index.php/Industry:Citations
 +
 
 +
;7. Guide to Building Secure Web Applications, OWASP
 +
:http://www.owasp.org/index.php/Category:OWASP_Guide_Project
 +
 
 +
;8. Top Ten Project, OWASP
 +
:http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 +
 
 +
;9. Payment Card Industry Data Security Standard (PCI DSS) v1.2
 +
:https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
 +
 
 +
;10. Best Practice Challenge 2009 Winners Brochure
 +
:http://www.nominet.org.uk/digitalAssets/40377_BestPracticeChallenge_winners2009.pdf
 +
 
 +
;11. Completed work, Global Industry Committee, OWASP
 +
:http://www.owasp.org/index.php/Global_Industry_Committee#Completed_Items
  
  

Revision as of 07:42, 22 February 2010


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name Draft Personal Information Online Code of Practice
Short Description Provide response to UK ICO "Personal Information Online Code of Practice"
Related Projects None
Email Contacts & Roles Primary
Colin Watson
Secondary
TBC
Mailing list
Please use the Industry Committee list
ACTIVITY SPECIFICS
Objectives
  • Review Draft CoP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • 11 Dec 2009 - Circulate to OWASP UK chapters for comment
  • 1 Feb 2010 - Deadline for comments from OWASP lists
  • 8 Feb 2010 - Complete final draft response
  • 8 Feb 2010 - Submit for approval by Global Industry Committee
  • 15 Feb 2010 - Submit to ICO
Status
  • Closed
Resources Consultation introduction

Consultation document

Submit comments via ICO Consultation Portal by 5 March 2010.


Submission Response

Section 7 - Data protection online

Question 3 (Are there any other specific issues relating to online security that you think it would be helpful for us to cover in the code?)

  • Ensure that a Secure Development Life Cycle (SDLC) is in place.
  • During the analysis phase of the project, perform a threat analysis (or similar) to help determine the security requirements that must be met. The security requirements should cover the following types of issues:
    • Security architecture
    • Authentication
    • Session management
    • Access control
    • Input validation
    • Output encoding/escaping
    • Cryptography
    • Error handling and logging
    • Data protection
    • Communication security
    • HTTP security
    • Security configuration
    • Malicious code search
  • Secure coding practices should be in place during the development phase. These should reflect common risks such as those described in the OWASP Top Ten.
  • The testing phase should include an element of application security testing.
  • During the deployment phase the emphasis should be on security hardening of the application, database and infrastructure.


Section 10 Operating internationally

Question 7 (Are there any other international issues you would like to see covered?)

The two sections boxed out with bullet point apply equally to design agencies, website developers, web programmers, contractors, hosting companies and other suppliers located in the UK - not just internationally.

We recommend adding the following points:

  • have a risk-based application security programme built into all stages of software (e.g. website) development practices
  • ensure all websites and related systems are developed securely to protect against security risks
  • build information security and privacy requirements into all contracts and agreements


Section 12 - General consultation questions

Question 16 (Is there any other relevant guidance that we should refer to?)

We recommend referencing the following OWASP documents relating to the development of secure websites and web services (web applications). These are all available free of charge on OWASP's wiki and as PDFs, or at cost from an online printer. OWASP does not endorse commercial products or services.

Software Assurance Maturity Model (SAMM)
An open framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
http://www.opensamm.org/
Top Ten, OWASP
The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Guide to Building Secure Web Applications, OWASP
The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
Code Review Guide, OWASP
Guidance on identifying security flaws in web application source code.
http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Testing Guide, OWASP
Web application security penetration testing guide describing techniques for testing the most common web application and web service security issues.
http://www.owasp.org/index.php/Category:OWASP_Testing_Project
Application Security Verification Standard (ASVS), OWASP
Structured security verification framework for web applications.
http://www.owasp.org/index.php/ASVS


Question 17 (Are there any further comments you wish to make?)

Response to the ICO on behalf of OWASP


This is an official response on behalf of the Open Web Application Security Project (OWASP)[1] prepared by UK members of OWASP's Global Industry Committee[2] in consultation with participants in the Leeds[3], London[4] and Scotland[5] chapters.

OWASP is pleased the ICO is providing guidance in this manner to UK organisations.

About OWASP


OWASP is a global open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP builds documents, tools, teaching environments, guidelines, checklists, and other materials to help organisations improve their capability to produce secure code. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

OWASP was formed in 2001, in an entirely organic fashion, when a group of security professionals came to realise how terribly insecure the way we develop our web applications was. The initial goal was deemed to be modest: write a guide for developers, which would document secure software development practices. While the initial effort was meant to last a few weeks, it came out to several hundred pages. When released, the OWASP Guide to Building Secure Web Applications was an instant success.

OWASP is a place where good people gather to help increase the awareness of the web application security problems in applications. It is a grass-roots effort, with the driving force being the people who are dealing with these problems every day, and wanting to lend a hand to change the situation for the better. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.

OWASP has over 130 local chapters around the world including three in the UK.

OWASP's projects are widely referenced[6] by national & international legislation, standards, guidelines, committees and industry codes of practice. For example, the OWASP Guide to Building Secure Web Applications[7] and OWASP Top Ten[8] are referred to in the Payment Card Industry Data Security Standard (PCI DSS)[9]. OWASP was shortlisted last year for the best security initiative award in Nominet's Best Practice Challenge[10].

OWASP has previously provided responses to DPC BS 8878:2009 on Web Accessibility, the Digital Britain Interim Report, DPC BS 10012, and many draft international standards and guides[11] relating to web application security.

References


Note: OWASP does not endorse commercial products or services.

1. Open Web Application Security Project (OWASP)
http://www.owasp.org
2. OWASP Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee
3. OWASP Leeds Chapter
http://www.owasp.org/index.php/Leeds_UK
4. OWASP London Chapter
http://www.owasp.org/index.php/London
5. OWASP Scotland Chapter
http://www.owasp.org/index.php/Scotland
6. OWASP Citations
http://www.owasp.org/index.php/Industry:Citations
7. Guide to Building Secure Web Applications, OWASP
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
8. Top Ten Project, OWASP
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
9. Payment Card Industry Data Security Standard (PCI DSS) v1.2
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
10. Best Practice Challenge 2009 Winners Brochure
http://www.nominet.org.uk/digitalAssets/40377_BestPracticeChallenge_winners2009.pdf
11. Completed work, Global Industry Committee, OWASP
http://www.owasp.org/index.php/Global_Industry_Committee#Completed_Items



Return to Global Industry Committee