100 %
0 %
Information about Owasp_Security_Labeling_System

Published on March 14, 2014

Author: luisenriquezA

Source: slideshare.net


Luis Enriquez (IT/IP Lawyer. LLM, CEH, CHFI) luis.enriquez@owasp.org https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project

• In 2010, Jeff Williams proposed a wonderful idea: A labeling system for disclosing vulnerabilities in Software. It was a great dropped idea. You can get that presentation here: http://www.slideshare.net/DinisCruz/2010-11-owaspsoftwarelabels • After joining the OWASP community in my local chapter, I got a very similar idea. I wrote to Jeff, and we think we can revive it. PRESENTATION

• Luis Enriquez (IT Lawyer). • Jeff Williams (Security Expert). • Jorge Lara (Graphical dessigner). Would you like to join?? CONTRIBUTORS

• The labeling system is a technical and legal security program. It is composed by 4 badges: Security (Secure code), Privacy(Trust), Ingredients(Transparency), and Openness(Open security). • We need an attractive and easy going labeling system. Users will benefit because they want security, and to know what are they getting within a software. Developers will also benefit because OWASP labeled software would be preferred by users and other developers, in terms of technical and legal security. • We need transnational solutions. There are many jurisdictions, and applicable laws around the planet. The labeling system has to be transnational, so it can be easily applied. WHAT IS IT?

(1) Create and Distribute opinion polls to different sides involved in the IT environment. (such as software developers, e-commerce agents, IT security firms, Cyber communities, Internet rights Associations, lawyers, and of course, users). This stage has already begun, and results are helping us to shape the model. • (2) Create the most suitable methodology for the security labeling system. The labeling system provides 4 logos and 4 clauses (1 for each badge). • (3) Application of the labeling system. The OWASP labeling system volunteers will contribute to check that the system is working properly. The label can always be removed. ROAD MAP


• Security criterion label (S). Security starts with SECURE CODING, and secure maintenance. This label certifies that the software is 'good enough' because it follows good security practices in its development life cycle, regular updates, and so forth. 1. SECURITY LABEL(S)

• Inputs: OWASP projects and security guides. Such as OWASP Top Ten (scan policy), OWASP security coding principles, Open SAMM, and so on. • Inputs: Security Tools: Such as Zed Attack Proxy, SAINT, Dependency checker, and so on. • Implementation. Including the 'security clause' in the contract, license, or terms of use, and a report of all security guides, tools and standards used for security. 1. SECURITY LABEL(S)


• Privacy(P). Security is also about TRUST. This label certifies that your software does not come with non-authorized spyware, and web applications follow ethical principles of data protection 2. PRIVACY LABEL(P)

• Privacy is not possible without security. We are all concerned about security. Non authorized spyware is not ethical, and ilegal in most jurisdictions. • Privacy is about TRUST. Users should trust in the IT industry. Software 'hacked by default' harms the industry. • Purpose of this label. The software producer declares in their contract that the package does not come with non authorized spyware. • Implementation. Include the 'privacy clause' in your contract, license, terms of service, or privacy policy. Users must verify the hashsum of the packages. 2. PRIVACY LABEL(P)


• Ingredients(I). Security is also about TRANSPARENCY. It certifies that all the ingredients of a computer program or Web application, are disclosed to the public. 3. INGREDIENTS LABEL(I)

• Making software components public. This label certifies that the software reveals all its ingredients (eg. Shared libraries, APIs, plug-ins, and so on). It is very suitable for FOSS software. • Third party ingredients. With the ingredients label, it will be a lot easier to identify third party code. Identifying third party code will have a positive impact for developers and users in areas such as Warranties, contractual legal liability(if any), and Copyright licenses. • Easy Implementation. Including the 'ingredients clause' in the contract, license, or terms of use, and a report of all software components will be the only requirements. 3. INGREDIENTS LABEL(I)


• Openness(O). This label consists about the open disclosure of vulnerabilities of Web Applications Software, to the public. 4. OPENNESS LABEL(O)

• For the highest security. This label is dedicated to high security environments. Applications must be scanned in a regular basis (E.g. every week). The public would have access to the last vulnerability scanning report. • A fast security team. The security team will have to patch their vulnerabilities ( if any) before the next scanning date. • Implementation. Including the 'openness clause' in your contract, or terms of use, and a regular report of your application vulnerabilities to the public. 4.OPENNESS LABEL(O)

SPECIFICATIONS • Purpose of labels. Each label has its own purpose. There is not hierarchy between them. Any software or Web application can hold all of them, or just the ones they prefer. • A mutual compromise. Using the security labels means that there is a compromise between software developers and OWASP. The goals: SECURITY AND TRUST. • Prize of labels. In order to avoid unfair competition, labels would not have a prize. But donations are always welcome in order to cover logistic costs.

• Applying for a label. The applicant will submit a registration into the labeling system site. Download the required logo and the labeling contracting clause. The 'logo' must be copied into the software distribution(or web site). • About the Clauses. The contract clauses make official the compromise of the software developer with the users. They must be added to the contract, license, terms of use, or privacy policy. When software is copyrighted under public licenses, it could be added as an additional term, or a declaration distributed within the license. • Just an automated process? No. the OWASP project team volunteers can always verify if the provided information is real. Violations to the labeling system can be reported by users. • Specifications and Labels can change. This is an open project, so please take all these proposals just as a departure point. We need to get the best out of it, so we are searching for better and new ideas. SPECIFICATIONS

• If you want to become a team member, or just provide ideas and suggestions, please send them to: luis.enriquez@owasp.org • Or connect to our mailing list at: https://lists.owasp.org/mailman/listinfo/owasp_security_labeling_system_project Project Page: https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project FEEDBACK IS VERY IMPORTANT! GET INVOLVED

Add a comment

Related presentations

Related pages

OWASP Security Labeling System Project - OWASP

OWASP SECURITY LABELING SYSTEM. This Web Application is labeled under the OWASP security labeling system with the purpose of making security ...
Read more

Owasp_security_labeling_system_project Info Page

To see the collection of prior postings to the list, visit the Owasp_security_labeling_system_project Archives. Using Owasp_security ...
Read more

Projects/OWASP Security Labeling System Project

what is this project? Name: OWASP Security Labeling System Project Purpose: Creating a security labeling system for software and web applications This ...
Read more

Owasp_security_labeling_system_project Administrator ...

Important: From this point on, you must have cookies enabled in your browser, otherwise no administrative changes will take effect.
Read more

OWASP Security Labeling System Project

OWASP Security Labeling System Project: "Let's make security visible for USERS" Click here and join the project
Read more

OWASP Security Labeling System Poll

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security ...
Read more


THE OWASP SECURITY LABELING SYSTEM PROJECT. Let’s make security visible for everybody. OWASP was just the perfect environment for developing this legal ...
Read more


LEGAL REPRESENTATIVE: Jazz scales corporation. TYPE: Computer program. (Source code ) NAME: Jazz-Scales.zip. LABELS: FURTHER INFORMATION: SECURITY LABEL ...
Read more

Owasp Security | LinkedIn

View 384 Owasp Security posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn.
Read more

OWASP Statement on the Security of the Internet

OWASP Statement on the Security of the Internet The OWASP (Open Web Application Security Project, www.owasp.org ...
Read more