OWASP Brasil Manifesto/en
Web Security - A Window of Opportunity
An open letter from OWASP Brazil to the Brazilian Government
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.
The recommendations are divided according to the focus of each agency:
- consumer protection bodies
- control and audit bodies
- teaching and research institutions
- all public bodies
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.
This section is highly dependent of the local reality and should be adapted for each geographic region. The text below shows an example written for the Brazilian reality.
The Internet is now a reality in the lives of most people, as shown by the statistics of numbers of users. IBGE in 2009 indicated that 27.4% of Brazilian households had Internet access and 67.9 million people were users of Internet in the sameyear#.The surveys also indicate a rapid growth in the number of Internet users, with an increase of 112.9% between 2005 and 2009.
The Internet access methods also have diversified and now include everything from traditional telecenters and cybercafes to access via the cellular, as well as dialup and broadband. Thus, the range of users going from the casual user who accesses from a public computer to "always connected" users, accessing the computer or cell phone at all times and wherever they are.
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, today is very difficult to find any organization that does not rely on the Internet in some way. With the advent of electronic invoice, the Internet gains even greater importance in day-to-day business.
Also, the Brazilian government has invested in the use of e-gov strategies, or electronic government, which consist in providing services to the population via the Internet. The most important example in this area is, without doubt, the Income Tax of Individuals, who in 2011 started to be accepted only in electronic format. Another example is the large-scale SISU - Unified Selection System of the Ministry of Education. Other services, while not available on the Internet, have similar characteristics and have the potential to stop the country as the Brazilian Payment System (SPB), maintained by the Central Bank.
The Judiciary also strides in its computerization and uses of the Internet to provide services to citizens. Examples are the widespread use of electronic processes# and judicial process monitoring over the web. Many courts are studying ways to enable joining documents and the opening of proceedings by electronic means, especially via the Internet.
In the aspect of communications, the Internet is also incorporated and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most of the population as tools for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of users of the network.
Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population.
The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).
CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years.
The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.
Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.
The OWASP Project
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security.
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using free software or Creative Commons licenses.
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.
What can we do?
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.
Some suggested actions are:
Allow and encourage research on cyber attacks and defenses
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.
Require the publication of safety assessments
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.
Create an agency to address the aspects of disclosure of security flaws
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.
Require compliance with minimum security requirements in government contracts
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.
Make organizations which are not diligent about software security accountable
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.
Require that the government have access to security updates for all software during its lifetime
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.
Require open sourcing of applications used by the government and whose lifetime has expired
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.
Eliminate software licenses which exempt manufacturers from liability for the security of their products
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.
For consumer protection agencies
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.
We suggest the following actions:
Act to restrict the use of abusive software licenses
This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.
Require manufacturers to disclose understandable information on the security level of their products or services
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.
Require an adequate level of security for systems that deal with private data
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.
Some places already have legislation on data leaks and this item may unnecessary.
Define that consumers should be informed of all possible uses of data provided to systems or sites
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.
Some places already have legislation about this issue and this item may be unnecessary.
Establish software security awareness campaigns for consumers
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.
For oversight agencies
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:
Define clear responsibilities about application security
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.
Verify and audit to ensure that appropriate safety practices are adopted
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.
There are some models that can guide the practices of system security audit such as the SSE-CMM (Systems Security Engineering Capability Maturity Model), OWASP ASVS (Application Security Verification Standard) or SAMM (Software Assurance Maturity Model).
Insert the security aspects of applications in regulations or recommendations
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.
Facilitate the creation of an insurance market for security applications
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.
Requiring the use of encrypted connections (SSL) for web applications
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.
For research and teaching institutions
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.
The suggested actions for education and research institutions are:
Inclusion of application security best practices in course contents
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.
Creation of advanced courses in the field
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.
To promote and fund application security research
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.
To promote the training of professionals capable of acting with ethics and responsibility
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.
For all public bodies
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.
The suggested actions for all public organizations are:
Financing validations and security fixes for open source systems
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.
Promote the use of application security technologies and methodologies
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.
Promote and enable security testing responsibly but openly
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.
Promote awareness and training of managers about the challenges of web security
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard.
Competitive advantages for the country
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.
How can OWASP help?
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.