Wednesday, May 14, 2014

PRESENTATION OF THE OWASP LABELING SECURITY SYSTEM PROJECT


Security is invisible, and the OWASP foundation has the purpose of making security visible”. That was the first thing I read about OWASP when I was invited to talk about license contracts and security at an OWASP local chapter conference. While listening an OWASP Top Ten conference, my first concern was about how making security visible for non technical users. Secure coding is not visible for users, unless they have the skills to understand Java, PHP, Java script, Ajax, HTML, and so on.

So I thought about creating a Labeling Security System for making security visible for Users. My peers thought it was a good idea, because users could just read a Labeling logo, and know what it represents in terms of security, GREAT. When I proposed the project to OWASP, I found out that Jeff Williams proposed something similar years ago. That encouraged my research.
The system should be transversal, market wise, and it could be based on other OWASP security projects. These are the labels:

1.Security (secure coding). This label is for technical security in Applications. Using recommended guides(such as OWASP top ten) and tools(such as ZAP or Dependency Check) for developing and maintaining the Application secure.

2.Privacy (Trust). This label is for increasing User's trust on software providers. Software should come free of non authorized spyware, and it should process personal data in an “ethical” way.

3. Ingredients (Transparency). This a label for Open source software. Software components (including third party code) should come in a human readable file, so users know what they are installing.

4. Openness(Open security). This is a label for Web applications. Web applications could make available their last vulnerability scan report.
The 4 labels are independent, as they confront different(but related) security issues. Each one comes with a label clause, to be added into the license agreement(if source code or binaries), or the Terms of service(if Web applications, cloud services). By clicking the logo, the users would connect to a database in the OWASP Security labeling system Server, confirming the authenticity and reliability of the Web application(or computer program) suscription.
However, I found 3 issues in the opinion polls. I am working on those issues: 
 
(1) Developers don't want to have a bad security ranking label on their product(security label). There is not ranking. The only ranking is 'good enough'.

(2) Developers disclaim liability in their license agreements. There is not liability by default. You are just responsible of what you have offered, and you are not offering 100% security because that is not possible. Therefore, you can still disclaim direct and indirect damages.

(3) Most IT administrators would not publish their own web application vulnerabilities(openness label). This condition is not in real time. You could publish your vulnerability reports after you have fixed the Application problems. However, if the reports meet a time criteria, (such as weekly), users can know that at least the web application is maintained and fixed on a regular basis.

This is the challenge, and I invite you all to join this project. The Security Labeling system is FREE and OPEN. Let's make the Security VISIBLE for all (including USERS).

Luis Enriquez