Difference between revisions of "OWASP Security Labeling System Project"

From OWASP
Jump to: navigation, search
(Created page with ""(1) STAGE ONE: Determine the reasons to create the labeling system(you could add more, or send your comments about these reasons): - Security is invisible. We cannot know ...")
 
Line 1: Line 1:
"(1)  STAGE ONE: Determine the reasons to create the labeling system(you could add more, or send your comments about these reasons):
+
=Main=
  
- Security is invisible.  We cannot know if software is 'good enough' in terms of security. The user ( and  also the developer who uses  shared libraries, or  creates derived works) have technical and legal impediments in order to know about vulnerabilities and code bugs.  The security labels will make security visible.
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
  
- In security there is not perfect, just “good enough”. We know that  software flaws and Vulnerabilities  will always exist.  But the label system could at least certify that certain application is  following basic security practices.
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
- Liability does not solve the problem.  Legal liability is not an alternative (unless the power of negotiation of the user is huge). All developers will always avoid including liability clauses in contracts.  Furthermore, it does not incentive development, and it is more likely that developers hide vulnerabilities instead of sharing them. A labeling system is the alternative.
+
==OWASP XXX==
  
- We need transnational solutions.   There are many jurisdictions, and applicable laws around the planet. The labeling system has to be transnational, so it can be easily applied.  
+
OWASP XXX is...
  
- We need an attractive and easy going label system. This is the key.  Users will benefit because they want security, and to know what components are they getting within a software. Developers will benefit because OWASP labeled software would be preferred by users in terms of security.
+
==Introduction==
  
(2) STAGE TWO: Choose the Sources for the labeling system:
+
Write a short introduction
  
-  Follow OWASP Top Ten.  The Top Ten project has been widely recognized,  and many developers are following it. If they applied it in their business, they can easily share their reports (through a confidence agreement if required) to the OWASP board. This interaction benefits both sides. It is a good basic departure point for the labeling system. 
 
  
-  Use of secure control programming interfaces.  We could use the OWASP Enterprise security APIs project.  The use of these interfaces could become another source for the labeling system. However, it would be crucial to finish the development of important ESAPIs for most popular environments, specially PHP.
 
  
-  Follow Security and verification standards.  Standards of Security analysis such as the OWASP ASVS standard project.  There is a lack of computer security standards (Do you  think the ISO/IEC 27034-1  could help to our labeling system?).
+
==Description==
+
-  Include security clauses in contracts?.  It would be great to include the legal framework. We could depart from the OWASP secure software contract annex as another source of our labeling system. However, I found a couple issues. (1) Clauses can be changed and adapted.  It would rarely be taken as a whole.  (2) Most contracts are not open to negotiation, and don't have a particular user (Think about an EULA).
+
I believe the solution would be to create a Soft Law instrument, something like 'the OWASP security software principles' (Soft law instruments such as the principles of the UNIDROIT in International commercial contracts), which includes all the principles and rules contained in the Software Contract Annex. It would be easier to just refer to all the OWASP principles including a Software security clause in the Contract.
+
  
(3) STAGE THREE: Application of the labeling system (How to make the labels. No graphics yet). We need ideas here. I am thinking about 4 different kinds of OWASP labels ( Please send your proposals). This is just an idea:
+
Write a description that is just a few paragraphs long
  
- Ingredients criterion label (I).  This label certifies that the software reveals all software components compiled in the binaries(if not FOSS) and used during development. (eg. Shared libraries, APIs, and so on).
 
  
- Security 'good enough' criterion label (S). This would be the standard certification label. This label certifies that the software is 'good enough' because follows good security practices in its development life cycle, updates and security patches.  
+
==Licensing==
 +
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
- Legal 'good enough' criterion label (L).  This is an additional label in case that the contract  includes  security software clauses following the OWASP principles.
 
  
- Disclosure of vulnerabilities criterion label (D). This label consists in the open disclosure of vulnerabilities of the software or Web Applications to the users.  Perhaps not many enterprises or web administrators will like to reveal their vulnerabilities. However, the proposal is interesting."
+
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is XXX? ==
 +
 
 +
OWASP XXX provides:
 +
 
 +
* xxx
 +
* xxx
 +
 
 +
 
 +
== Presentation ==
 +
 
 +
Link to presentation
 +
 
 +
 
 +
 
 +
 
 +
== Project Leader ==
 +
 
 +
Project leader's name
 +
 
 +
 
 +
== Related Projects ==
 +
 
 +
* [[OWASP_CISO_Survey]]
 +
 
 +
 
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== Quick Download ==
 +
 
 +
* Link to page/download
 +
 
 +
 
 +
 
 +
== News and Events ==
 +
* [20 Nov 2013] News 2
 +
* [30 Sep 2013] News 1
 +
 
 +
 
 +
== In Print ==
 +
This project can be purchased as a print on demand book from Lulu.com
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
=FAQs=
 +
 
 +
; Q1
 +
: A1
 +
 
 +
; Q2
 +
: A2
 +
 
 +
= Acknowledgements =
 +
==Volunteers==
 +
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:
 +
 
 +
* xxx
 +
* xxx
 +
 
 +
==Others==
 +
* xxx
 +
* xxx
 +
 
 +
= Road Map and Getting Involved =
 +
As of XXX, the priorities are:
 +
* xxx
 +
* xxx
 +
* xxx
 +
 
 +
Involvement in the development and promotion of XXX is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* xxx
 +
* xxx
 +
 
 +
 
 +
 
 +
=Project About=
 +
{{:Projects/OWASP_Security_Labeling_System_Project}} 
 +
 
 +
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]

Revision as of 22:06, 2 December 2013

[edit]

OWASP Project Header.jpg

OWASP XXX

OWASP XXX is...

Introduction

Write a short introduction


Description

Write a description that is just a few paragraphs long


Licensing

OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is XXX?

OWASP XXX provides:

  • xxx
  • xxx


Presentation

Link to presentation



Project Leader

Project leader's name


Related Projects


Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Q1
A1
Q2
A2

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Security Labeling System Project
Purpose: Creating a security labeling system for software and web applications This labeling system would be based in different criteria It concerns technical and legal security The former idea was proposed by jeff Williams years ago
License: Creative Commons Share Alike 3.0
who is working on this project?
Project Leader(s):
  • Luis Enriquez @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Luis Enriquez @ to contribute to this project
  • Contact Luis Enriquez @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases