Industry:Personal Information Online Code of Practice

From OWASP
Revision as of 02:47, 25 February 2010 by Clerkendweller (Talk | contribs)

Jump to: navigation, search


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name Draft Personal Information Online Code of Practice
Short Description Provide response to UK ICO "Personal Information Online Code of Practice"
Related Projects None
Email Contacts & Roles Primary
Yiannis Pavlosoglou
Secondary
Colin Watson
Mailing list
Please use the Industry Committee list
ACTIVITY SPECIFICS
Objectives
  • Review Draft CoP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • 11 Dec 2009 - Circulate to OWASP UK chapters for comment
  • 1 Feb 2010 - Deadline for comments from OWASP lists
  • 22 Feb 2010 - Complete final draft response
  • 22 Feb 2010 - Submit for approval by Global Industry Committee and UK lists
  • 24 Feb 2010 - Submit to ICO
Status
  • Closed
Resources Consultation introduction

Consultation document

Submit comments via ICO Consultation Portal by 5 March 2010.


Submission Response (draft)

Section 7 - Data protection online

Question 3 (Are there any other specific issues relating to online security that you think it would be helpful for us to cover in the code?)

We recommend adding the following points:

  • Ensure that a Secure Development Life Cycle (SDLC) is in place.
  • During the analysis phase of the project, perform a threat analysis (or similar) to help determine the security requirements that must be met. The security requirements should cover the following types of issue:
    • Security architecture
    • Authentication
    • Session management
    • Access control
    • Input validation
    • Output encoding/escaping
    • Cryptography
    • Error handling and logging
    • Data protection
    • Communication security
    • HTTP security
    • Security configuration
    • Malicious code search
  • Secure coding practices should be in place during the development phase. These should reflect common risks such as those described in the OWASP Top Ten.
  • The testing phase should include an element of application security testing.
  • During the deployment phase the emphasis should be on security hardening of the application, database and infrastructure.


Section 10 - Operating internationally

Question 7 (Are there any other international issues you would like to see covered?)

The two sections boxed out with bullet point apply equally to design agencies, website developers, web programmers, contractors, hosting companies and other suppliers located in the UK - not just internationally.

We recommend adding the following points:

  • have a risk-based application security programme built into all stages of software (e.g. website) development practices
  • ensure all websites and related systems are developed securely to protect against security risks
  • build information security and privacy requirements into all contracts and agreements


Section 12 - General consultation questions

Question 16 (Is there any other relevant guidance that we should refer to?)

We recommend referencing the following OWASP documents relating to the development of secure websites and web services (web applications). These are all available free of charge on OWASP's wiki and as PDFs, or at cost from an online printer. OWASP does not endorse commercial products or services.

Software Assurance Maturity Model (SAMM)
An open framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
http://www.opensamm.org/
Top Ten, OWASP
The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Guide to Building Secure Web Applications, OWASP
The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
Code Review Guide, OWASP
Guidance on identifying security flaws in web application source code.
http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Testing Guide, OWASP
Web application security penetration testing guide describing techniques for testing the most common web application and web service security issues.
http://www.owasp.org/index.php/Category:OWASP_Testing_Project
Application Security Verification Standard (ASVS), OWASP
Structured security verification framework for web applications.
http://www.owasp.org/index.php/ASVS


Question 17 (Are there any further comments you wish to make?)

Response to the ICO on behalf of OWASP


  • The following text does not form part of OWASP's submission, but explains our background and therefore the context of our input.

This is an official response on behalf of the Open Web Application Security Project (OWASP)[1] prepared by UK members of OWASP's Global Industry Committee[2] in consultation with participants in the Leeds[3], London[4] and Scotland[5] chapters.

OWASP is pleased the ICO is providing guidance in this manner to UK organisations.

About OWASP


OWASP is a global open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP builds documents, tools, teaching environments, guidelines, checklists, and other materials to help organisations improve their capability to produce secure code. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

OWASP was formed in 2001, in an entirely organic fashion, when a group of security professionals came to realise how terribly insecure the way we develop our web applications was. The initial goal was deemed to be modest: write a guide for developers, which would document secure software development practices. While the initial effort was meant to last a few weeks, it came out to several hundred pages. When released, the OWASP Guide to Building Secure Web Applications was an instant success.

OWASP is a place where good people gather to help increase the awareness of the web application security problems in applications. It is a grass-roots effort, with the driving force being the people who are dealing with these problems every day, and wanting to lend a hand to change the situation for the better. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success and has over 130 local chapters around the world including three in the UK.

OWASP's projects are widely referenced[6] by national & international legislation, standards, guidelines, committees and industry codes of practice. For example, the OWASP Guide to Building Secure Web Applications[7] and OWASP Top Ten[8] are referred to in the Payment Card Industry Data Security Standard (PCI DSS)[9]. OWASP was shortlisted last year for the best security initiative award in Nominet's Best Practice Challenge[10].

OWASP has previously provided responses to DPC BS 8878:2009 on Web Accessibility, the Digital Britain Interim Report, DPC BS 10012, and many draft international standards and guides[11] relating to web application security.

References


1. Open Web Application Security Project (OWASP)
http://www.owasp.org
2. OWASP Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee
3. OWASP Leeds Chapter
http://www.owasp.org/index.php/Leeds_UK
4. OWASP London Chapter
http://www.owasp.org/index.php/London
5. OWASP Scotland Chapter
http://www.owasp.org/index.php/Scotland
6. OWASP Citations
http://www.owasp.org/index.php/Industry:Citations
7. Guide to Building Secure Web Applications, OWASP
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
8. Top Ten Project, OWASP
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
9. Payment Card Industry Data Security Standard (PCI DSS) v1.2
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
10. Best Practice Challenge 2009 Winners Brochure
http://www.nominet.org.uk/digitalAssets/40377_BestPracticeChallenge_winners2009.pdf
11. Completed work, Global Industry Committee, OWASP
http://www.owasp.org/index.php/Global_Industry_Committee#Completed_Items



Return to Global Industry Committee