SlideShare a Scribd company logo

Owasp_Security_Labeling_System

Download as ODP, PDF
L
luisenriquezA
Technology
1 of 22
OWASP SECURITY LABELING SYSTEM PROJECT READ THE LABEL!
Luis Enriquez (IT/IP Lawyer. LLM, CEH, CHFI) luis.enriquez@owasp.org https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
• In 2010, Jeff Williams proposed a wonderful idea: A labeling system for disclosing vulnerabilities in Software. It was a great dropped idea. You can get that presentation here: http://www.slideshare.net/DinisCruz/2010-11-owaspsoftwarelabels • After joining the OWASP community in my local chapter, I got a very similar idea. I wrote to Jeff, and we think we can revive it. PRESENTATION
• Luis Enriquez (IT Lawyer). • Jeff Williams (Security Expert). • Jorge Lara (Graphical dessigner). Would you like to join?? CONTRIBUTORS
• The labeling system is a legal security program with technical implications. It is integrated by 4 labels: Security (Secure code), Privacy(Trust), Ingredients(Transparency), and Openness(Open security). • We need an attractive and easy going labeling system. Users will benefit because they want security, and to know what are they getting within a software. Developers will also benefit because OWASP labeled software would be preferred by users and other developers, in terms of technical and legal security. • We need transnational solutions. There are many jurisdictions, and applicable laws around the planet. The labeling system has to be transnational, so it can be easily applied. WHAT IS IT?
• Security is invisible. We cannot know if any Application is 'good enough' in terms of security. The OWASP labels will make security visible. • In security there is not perfect, just “good enough”. Vulnerabilities will always exist. But the OWASP labeling system could at least certify that certain application is following basic security practices and respecting user's privacy. • Legal Liability 'by default' does not solve the problem. It does not incentive development, and it is more likely that developers hide vulnerabilities instead of sharing them. A labeling system is the alternative. WHY?
(1) Create and Distribute opinion polls to different sides involved in the IT environment. (such as software developers, e-commerce agents, IT security firms, Cyber communities, Internet rights Associations, lawyers, and of course, users). This stage has already begun, and results are helping us to shape the model. • (2) Create the most suitable methodology for the security labeling system. The labeling system provides 4 logos and 4 clauses (1 for each badge). They should be incorporated as a “license exception” before the copyright license or license terms(for public licenses), or included into the custom copyright licenses, custom license contracts, terms of service, or privacy policies. • (3) Application of the labeling system. The OWASP labeling system volunteers will contribute to check that the system is working properly. The label can always be removed. ROAD MAP
1. SECURITY LABEL(S)
• Security criterion label (S). Security starts with SECURE CODING, and secure maintenance. This label certifies that the software is 'good enough' because it follows good security practices in its development life cycle, regular updates, and so forth. 1. SECURITY LABEL(S)
• Inputs: OWASP projects and security guides. Such as OWASP Top Ten (scan policy), OWASP security coding principles, Open SAMM, and so on. • Inputs: Security Tools: Such as Zed Attack Proxy, SAINT, Dependency checker, and so on. • Implementation. Including the 'security clause' into your license contract, public license contract(as a 'license exception'), and a link to the report of all security guides, tools and standards used for security. 1. SECURITY LABEL(S)
2. PRIVACY LABEL(P)
• Privacy(P). Security is also about TRUST. This label certifies that your software does not come with non-authorized spyware, and web applications follow ethical principles of data protection. 2. PRIVACY LABEL(P)
• Privacy is not possible without security. We are all concerned about security. Non authorized spyware is not ethical, and ilegal in most jurisdictions. • Privacy is about TRUST. Users should trust in the IT industry. Software 'hacked by default' harms the industry. • Purpose of this label. The software producer declares in their contract that the package does not come with non authorized spyware. • Implementation. Include the 'privacy clause' in your license contract, public license(as a 'license exception'), terms of service, or privacy policy. Users must verify the hashsum of the packages. 2. PRIVACY LABEL(P)
3. INGREDIENTS LABEL (I)
• Ingredients(I). Security is also about TRANSPARENCY. It certifies that all the ingredients of a computer program or Web application, are disclosed to the public. 3. INGREDIENTS LABEL(I)
• Making software components public. This label certifies that the software reveals all its ingredients (eg. Shared libraries, APIs, plug-ins, and so on). It is very suitable for FOSS software. • Third party ingredients. With the ingredients label, it will be a lot easier to identify third party code. Identifying third party code will have a positive impact for developers and users in areas such as Warranties, contractual legal liability(if any), and Copyright licenses. • Easy Implementation. Including the 'ingredients clause' into your license contract, public license(as a 'license exception'), or terms of use, and a link to the report of all software components will be the only requirements. 3. INGREDIENTS LABEL(I)
4. OPENNESS LABEL(O)
• Openness(O). This label consists about the open disclosure of vulnerabilities of Web Applications Software, to the public. 4. OPENNESS LABEL(O)
• For the highest security. This label is dedicated to high security environments. Applications must be scanned in a regular basis (E.g. every week). The public would have access to the last vulnerability scanning report. • A fast security team. The security team will have to patch their vulnerabilities ( if any) before the next scanning date. • Implementation. Including the 'openness clause' into your license contract, or terms of use, and a regular report of your application vulnerabilities to the public. 4.OPENNESS LABEL(O)
SPECIFICATIONS • Purpose of labels. Each label has its own purpose. There is not hierarchy between them. Any software or Web application can hold all of them, or just the ones they prefer. • A mutual compromise. Using the security labels means that there is a compromise between software developers and OWASP. The goals: SECURITY, TRUST, TRANSPARENCY, AND OPENNESS. • Prize of labels. In order to avoid unfair competition, labels would not have a prize. But donations are always welcome in order to cover logistic costs.
• Applying for a label. The applicant will submit a registration into the labeling system site. Download the required logo and the labeling contracting clause. The 'logo' must be copied into the software distribution(or web site). • About the Clauses. The contract clauses make official the compromise of the software developer with the users. They must be added to the contract, license, terms of use, or privacy policy. When software is copyrighted under public licenses, it could be added as an additional term, or a declaration distributed within the license. • Just an automated process? No. the OWASP project team volunteers can always verify if the provided information is real. Violations to the labeling system can be reported by users. • Specifications and Labels can change. This is an open project, so please take all these proposals just as a departure point. We need to get the best out of it, so we are searching for better and new ideas. SPECIFICATIONS
• If you want to become a team member, or just provide ideas and suggestions, please send them to: luis.enriquez@owasp.org • Or connect to our mailing list at: https://lists.owasp.org/mailman/listinfo/owasp_security_labeling_system_project Project Page: https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project FEEDBACK IS VERY IMPORTANT! GET INVOLVED

Recommended

Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 

Recommended

Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIntrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Securityankitmehta21
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Tirano_Graham_Resume
Tirano_Graham_ResumeTirano_Graham_Resume
Tirano_Graham_ResumeTirano Graham
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 

More Related Content

What's hot

Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIntrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Securityankitmehta21
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Tirano_Graham_Resume
Tirano_Graham_ResumeTirano_Graham_Resume
Tirano_Graham_ResumeTirano Graham
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 

What's hot (20)

Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIntrusion Detection Systems By Anamoly-Based Using Neural Network
Intrusion Detection Systems By Anamoly-Based Using Neural Network
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Tirano_Graham_Resume
Tirano_Graham_ResumeTirano_Graham_Resume
Tirano_Graham_Resume
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 

Similar to Owasp_Security_Labeling_System

Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceSource Code Control Limited
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Open source technology
Open source technologyOpen source technology
Open source technologyRohit Kumar
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Anti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documentsAnti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documentsUltraUploader
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)Shivani Rai
 
Pitfalls of Software Licenses (2)
Pitfalls of Software Licenses (2)Pitfalls of Software Licenses (2)
Pitfalls of Software Licenses (2)ravimohan2
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 

Similar to Owasp_Security_Labeling_System (20)

Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Open source technology
Open source technologyOpen source technology
Open source technology
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Anti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documentsAnti spyware coalition definitions and supporting documents
Anti spyware coalition definitions and supporting documents
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)
 
Pitfalls of Software Licenses (2)
Pitfalls of Software Licenses (2)Pitfalls of Software Licenses (2)
Pitfalls of Software Licenses (2)
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Owasp_Security_Labeling_System

  • 2. Luis Enriquez (IT/IP Lawyer. LLM, CEH, CHFI) luis.enriquez@owasp.org https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project
  • 3. • In 2010, Jeff Williams proposed a wonderful idea: A labeling system for disclosing vulnerabilities in Software. It was a great dropped idea. You can get that presentation here: http://www.slideshare.net/DinisCruz/2010-11-owaspsoftwarelabels • After joining the OWASP community in my local chapter, I got a very similar idea. I wrote to Jeff, and we think we can revive it. PRESENTATION
  • 4. • Luis Enriquez (IT Lawyer). • Jeff Williams (Security Expert). • Jorge Lara (Graphical dessigner). Would you like to join?? CONTRIBUTORS
  • 5. • The labeling system is a legal security program with technical implications. It is integrated by 4 labels: Security (Secure code), Privacy(Trust), Ingredients(Transparency), and Openness(Open security). • We need an attractive and easy going labeling system. Users will benefit because they want security, and to know what are they getting within a software. Developers will also benefit because OWASP labeled software would be preferred by users and other developers, in terms of technical and legal security. • We need transnational solutions. There are many jurisdictions, and applicable laws around the planet. The labeling system has to be transnational, so it can be easily applied. WHAT IS IT?
  • 6. • Security is invisible. We cannot know if any Application is 'good enough' in terms of security. The OWASP labels will make security visible. • In security there is not perfect, just “good enough”. Vulnerabilities will always exist. But the OWASP labeling system could at least certify that certain application is following basic security practices and respecting user's privacy. • Legal Liability 'by default' does not solve the problem. It does not incentive development, and it is more likely that developers hide vulnerabilities instead of sharing them. A labeling system is the alternative. WHY?
  • 7. (1) Create and Distribute opinion polls to different sides involved in the IT environment. (such as software developers, e-commerce agents, IT security firms, Cyber communities, Internet rights Associations, lawyers, and of course, users). This stage has already begun, and results are helping us to shape the model. • (2) Create the most suitable methodology for the security labeling system. The labeling system provides 4 logos and 4 clauses (1 for each badge). They should be incorporated as a “license exception” before the copyright license or license terms(for public licenses), or included into the custom copyright licenses, custom license contracts, terms of service, or privacy policies. • (3) Application of the labeling system. The OWASP labeling system volunteers will contribute to check that the system is working properly. The label can always be removed. ROAD MAP
  • 9. • Security criterion label (S). Security starts with SECURE CODING, and secure maintenance. This label certifies that the software is 'good enough' because it follows good security practices in its development life cycle, regular updates, and so forth. 1. SECURITY LABEL(S)
  • 10. • Inputs: OWASP projects and security guides. Such as OWASP Top Ten (scan policy), OWASP security coding principles, Open SAMM, and so on. • Inputs: Security Tools: Such as Zed Attack Proxy, SAINT, Dependency checker, and so on. • Implementation. Including the 'security clause' into your license contract, public license contract(as a 'license exception'), and a link to the report of all security guides, tools and standards used for security. 1. SECURITY LABEL(S)
  • 12. • Privacy(P). Security is also about TRUST. This label certifies that your software does not come with non-authorized spyware, and web applications follow ethical principles of data protection. 2. PRIVACY LABEL(P)
  • 13. • Privacy is not possible without security. We are all concerned about security. Non authorized spyware is not ethical, and ilegal in most jurisdictions. • Privacy is about TRUST. Users should trust in the IT industry. Software 'hacked by default' harms the industry. • Purpose of this label. The software producer declares in their contract that the package does not come with non authorized spyware. • Implementation. Include the 'privacy clause' in your license contract, public license(as a 'license exception'), terms of service, or privacy policy. Users must verify the hashsum of the packages. 2. PRIVACY LABEL(P)
  • 15. • Ingredients(I). Security is also about TRANSPARENCY. It certifies that all the ingredients of a computer program or Web application, are disclosed to the public. 3. INGREDIENTS LABEL(I)
  • 16. • Making software components public. This label certifies that the software reveals all its ingredients (eg. Shared libraries, APIs, plug-ins, and so on). It is very suitable for FOSS software. • Third party ingredients. With the ingredients label, it will be a lot easier to identify third party code. Identifying third party code will have a positive impact for developers and users in areas such as Warranties, contractual legal liability(if any), and Copyright licenses. • Easy Implementation. Including the 'ingredients clause' into your license contract, public license(as a 'license exception'), or terms of use, and a link to the report of all software components will be the only requirements. 3. INGREDIENTS LABEL(I)
  • 18. • Openness(O). This label consists about the open disclosure of vulnerabilities of Web Applications Software, to the public. 4. OPENNESS LABEL(O)
  • 19. • For the highest security. This label is dedicated to high security environments. Applications must be scanned in a regular basis (E.g. every week). The public would have access to the last vulnerability scanning report. • A fast security team. The security team will have to patch their vulnerabilities ( if any) before the next scanning date. • Implementation. Including the 'openness clause' into your license contract, or terms of use, and a regular report of your application vulnerabilities to the public. 4.OPENNESS LABEL(O)
  • 20. SPECIFICATIONS • Purpose of labels. Each label has its own purpose. There is not hierarchy between them. Any software or Web application can hold all of them, or just the ones they prefer. • A mutual compromise. Using the security labels means that there is a compromise between software developers and OWASP. The goals: SECURITY, TRUST, TRANSPARENCY, AND OPENNESS. • Prize of labels. In order to avoid unfair competition, labels would not have a prize. But donations are always welcome in order to cover logistic costs.
  • 21. • Applying for a label. The applicant will submit a registration into the labeling system site. Download the required logo and the labeling contracting clause. The 'logo' must be copied into the software distribution(or web site). • About the Clauses. The contract clauses make official the compromise of the software developer with the users. They must be added to the contract, license, terms of use, or privacy policy. When software is copyrighted under public licenses, it could be added as an additional term, or a declaration distributed within the license. • Just an automated process? No. the OWASP project team volunteers can always verify if the provided information is real. Violations to the labeling system can be reported by users. • Specifications and Labels can change. This is an open project, so please take all these proposals just as a departure point. We need to get the best out of it, so we are searching for better and new ideas. SPECIFICATIONS
  • 22. • If you want to become a team member, or just provide ideas and suggestions, please send them to: luis.enriquez@owasp.org • Or connect to our mailing list at: https://lists.owasp.org/mailman/listinfo/owasp_security_labeling_system_project Project Page: https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project FEEDBACK IS VERY IMPORTANT! GET INVOLVED