Tuesday, 22 December 2009

Idea for OWASP Standard for public rating of an WebSite's security profile

Jeff Williams had a great post following the discussion we had at TwitterLand (direct quote from Jeff's email):

I saw some twittering about this sort of thing over the weekend…

The basic idea is that we could create some OWASP standards around the way that companies allow their websites to be tested/scanned/reviewed and how they want to handle disclosure of issues that are discovered. Companies could choose the standard they want to follow and it would encourage people to make that choice explicit and public (visible).

We could do this pretty easily in the OWASP Legal Project – the way that Creative Commons defined some IP licenses and released them. I’m just not sure what the current practices are. Has anyone catalogued a list of companies with either testing or disclosure policies? See Microsoft policies.

Just as an off the top of the head brainstorm, what do you think of these?? Of course we’d have to specify these carefully and fully.
  • Full Disclosure – disclose anything you find
  • Responsible Disclosure – work with us please
  • Private Disclosure – send it to us and pray
  • No Disclosure – we will hunt you down and kill you
  • Fully Open – code review + test all you want
  • Open Code Review – we’ll let you review the source and test all you want**
  • Open Test – test with your account all you want
  • Staged Test–register and we’ll let you test on a non-production system
  • No Testing – you are an evil hacker
** Note: I have already drafted an “OWASP Open Code Review” license that grants people the rights they need to do a source code review without giving up ownership or other legal rights.

We could combine these into a few interesting combinations…
  • OWASP Open Security Program – Fully open review + full disclosure
  • OWASP Shared Security Program – Open testing + responsible disclosure
  • OWASP Private Security Program – Staged Testing + private disclosure
  • OWASP “Trust Us” Insecurity Program – No testing + no disclosure

Note that this is NOT a certification program. This is a way for companies to *declare* their approach to security. Your thoughts welcome…


Security Retentive said...


Despite how well intentioned I can't imagine too many companies allowing testing on their actual site, rather than testing of their actual code.

And, I can't imagine standing up a demo site with full env. just for outsiders to security test. Lots of properties of applications are emergent based on the environment and exact configuration anyway.

I think that listing these almost as a hierarchy implies some value judgments, which I don't know are appropriate.

That said, I think you've gone a decent way towards categorizing the options here.

Sam Quigley said...

I have to agree with the first commenter: saying "test all you want" on a production system is crazy. Even if everything is done right, at least a few systems have to be of the "fail-closed" variety — account lockouts, eg. And with fail-closed systems, testing == denial of service…

Actually, I think the same is true for "Open disclosure". A company would have to be crazy to choose that over "responsible disclosure": when could you possibly *want* vulns to be disclosed to the world before you find out about them?

If anything, it seems like the blue "Open" logo would really just signify that the security team hasn't thought things through enough.

On the other hand, I do think that there's room to certify and encourage sensible site security reporting policies; the CC or maybe OSI model could help here. There definitely aren't enough sites that state clearly how they will handle issues reported to them, so giving an OWASP gold star or whatever to the guys who do a good job might encourage more of it.