OWASP Brasil Manifesto/en
Web Security - A Window of Opportunity
A white paper from OWASP to Governments
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.
The recommendations are divided according to the focus of each agency:
- consumer protection bodies
- control and audit bodies
- teaching and research institutions
- all public bodies
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.
The Internet is now a reality in the lives of most people, as shown by usage statistics. The Internet World Stats web site reports that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.
add e-gov examples here.
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.
add local statistics here.
The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.
The Open Web Application Security Project
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using free software or Creative Commons licenses.
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.
What can we do?
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.
Some suggested actions are:
Allow and encourage research on cyber attacks and defenses
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.
Require the publication of security assessments
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.
Create an agency to address the aspects of disclosure of security flaws
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.
Require compliance with minimum security requirements in government contracts
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.
Make organizations which are not diligent about software security accountable
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.
Require that the government have access to security updates for all software during its lifetime
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.
Require open sourcing of applications used by the government and whose lifetime has expired
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.
Eliminate software licenses which exempt manufacturers from liability for the security of their products
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.
For consumer protection agencies
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.
We suggest the following actions:
Act to restrict the use of abusive software licenses
This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.
Require manufacturers to disclose understandable information on the security level of their products or services
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.
Require an adequate level of security for systems that deal with private data
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.
Some places already have legislation on data leaks and this item may unnecessary.
Define that consumers should be informed of all possible uses of data provided to systems or sites
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.
Some places already have legislation about this issue and this item may be unnecessary.
Establish software security awareness campaigns for consumers
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.
For oversight agencies
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:
Define clear responsibilities about application security
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.
Verify and audit to ensure that appropriate security practices are adopted
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.
There are some models that can guide the practices of system security audit such as the SSE-CMM (Systems Security Engineering Capability Maturity Model), OWASP ASVS (Application Security Verification Standard) or SAMM (Software Assurance Maturity Model).
Insert the security aspects of applications in regulations or recommendations
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.
Facilitate the creation of an insurance market for security applications
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.
Requiring the use of encrypted connections (SSL) for web applications
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.
For research and teaching institutions
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.
The suggested actions for education and research institutions are:
Inclusion of application security best practices in course content
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.
Creation of advanced courses in the field
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.
To promote and fund application security research
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.
To promote the training of professionals capable of acting with ethics and responsibility
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.
For all public bodies
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.
The suggested actions for all public organizations are:
Financing validations and security fixes for open source systems
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.
Promote the use of application security technologies and methodologies
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.
Promote and enable security testing responsibly but openly
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.
Promote awareness and training of managers about the challenges of web security
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.
Competitive advantages for the country
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.
How can OWASP help?
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.