__NOTOC__

Return to [[Global Industry Committee]]

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|'''ACTIVITY IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Activity Name'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|'''DOJ Nondiscrimination on the Basis of Disability'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Short Description'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|Provide response to "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Related Projects '''
| colspan="3" style="width:75%; background:#cccccc" align="left"|None
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Primary''' [mailto:alexander.fry(at)owasp.org '''Alexander Fry''']
| style="width:25%; background:#cccccc" align="center"|'''Secondary''' [mailto:lorna.alamri(at)owasp.org '''Lorna Alamri''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' Please use the [http://lists.owasp.org/mailman/listinfo/global_industry_committee Industry Committee list]
|}

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|'''ACTIVITY SPECIFICS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* Review Proposed Rulemaking - in particular issues relating to Web application security
* Where appropriate, draft a response for submission
* Submit the response as an official OWASP statement
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* 9 Nov 2010 - Complete second draft response
* 12 Nov 2010 - Circulate to OWASP chapters and GIC mailing lists
* 19 Nov 2010 - Prepare final version
* 22 Nov 2010 - Submit to DOJ
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Status'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* In Progress
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Resources'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|[http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480b20b1a Document detail]

[https://docs.google.com/a/owasp.org/fileview?id=0B5wp7wNKKjxnYzg3MDI3MTctYzgzYy00MWQzLThmM2UtZjkwOWYzNWU3MzQz&hl=en Annotated version]

[https://spreadsheets.google.com/ccc?key=0AnrIOS37w1dAdDRPSXpWQzF3cXBpY3h4ZVhfTFlSQmc&hl=en&invite=CJPD_e4H Project plan]

[http://www.regulations.gov/search/Regs/home.html#docketDetail?R=DOJ-CRT-2010-0005 Other comments submitted]

Response submission to Federal eRulemaking Web site: www.regulations.gov by 24th January 2011
|-
|}

== Submission Response ==

''Latest first''

=== Final version ===

This response is submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee. OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a U.S. recognized 501(c)(3) not-for-profit charitable organization that ensures the ongoing availability and support for our work at OWASP.
OWASP has previously submitted responses to related standards and guidance:
:*BS 8878:2009 Web accessibility. Building accessible experiences for disabled people DPC
:*W3C Mobile Web Application Best Practices Working Draft and NIST documents such as NIST SP 800-37 (Rev 1), SP 800-53 (Rev 3), SP 800-122 and IR 7628.

OWASP produces guidance documents, standards and tools such as the Top Ten, Development Guide, Code Review Guide, Testing Guide, Application Security Verification Standard and the Software assurance Maturity Model. These are already referenced by organizations such as DISA, NIST, NSA and the FFIEC.
Reference: OWASP Citations http://www.owasp.org/index.php/Industry:Citations

1) Should the Department adopt the WCAG 2.0s "Level AA Success Criteria" as it's standard for Web site accessibility for entities covered by Titles II and III of the ADA? Is there any reason why the Department should consider adopting another success criteria level of the WCAG 2.0?
From a website security point of view, WCAG 2.0s "Level AA Success Criteria" is not inconsistent with having a secure website. Conformance levels A, AA and AAA all require additional considerations for security due to the use of:
:*input, storage and output of additional text
:*alternative forms of CATCHA
:*input, storage and output of additional files
:*third-party services
:*additional client-side scripting
:*flexible session timeouts
:*enforcing code validity
These can all be achieved using secure development practices, but the additional requirements increase complexity. There is one aspect in the more stringent "Level AAA Success Criteria" which would be difficult to achieve in a secure manner:
:*re-authentication recovery
Reference: "Can an accessible web application be secure? Assessment issues for security testers, developers and auditors", Colin Watson, OWASP AppSec Europe 2009, http://www.owasp.org/images/2/22/AppSecEU09_owasp_appsec_eu09_colin_watson_2.ppt

6) What Resources and services are available to public accommodations and public entities to make their Web sites accessible? What is the ability of covered entities to make their Web sites accessible with in-house staff? What technical assistance should the Department make available to public entities and public accommodations to assist them with complying with this rule?
The W3C WAI pages on WCAG 2.0 provide ample information. In particular the "Techniques and Failures for Web Content Accessibility Guidelines 2.0" provide excellent guidance and duplication of this effort elsewhere would appear to be un-necessary. In terms of ensuring the security is maintained, we recommend OWASP's own guidance documents, standards and tools such as the Top Ten, Development Guide, Code Review Guide, Testing Guide, Application Security Verification Standard and the Software assurance Maturity Model. These are already referenced by organizations such as DISA, NIST, NSA and the FFIEC.
Reference: OWASP Citations http://www.owasp.org/index.php/Industry:Citations

7) Are there distinct or specialized features used on Web sites that render compliance with accessibility requirements difficult or impossible?

When applying website accessibility standards to transactional websites. (E-commerce, financial, healthcare, educational, eGovernment, hospitality, recreational, services, transportation, legal, et alia) It is important for users to understand that these websites must comply with security standards set forth to protect customer, patient and student information. These same security standards could make it more difficult for users with disabilities to utilize transactional websites.

The following features may render compliance with accessibility requirements difficult or impossible, however they are very important tools in protecting sensitive information in a transactional website.

Session Timeout
:One such standard is enforcing a session timeout. Session tokens that do not expire on the HTTP server can allow an attacker unlimited time to guess or brute-force a valid authenticated session token. If a user’s cookie file is captured or brute-forced, then an attacker can use these static session tokens to gain access to that user’s web account for that site. OWASP recommends that idle session time out for highly protected web applications are set at 5 minutes and no more than 20 minutes for low risk applications.

Passwords
:OWASP Recommends that website security policy for passwords include the following:
:*Password change frequency
:*Enforcement of a minimum password length
:*No maximum password length limits
:*Previous passwords should not be allowed to be chosen
:*Password lock out policy
:*Password complexity requirements
:*Password lock out

Strong Authentication
:Strong authentication (such as tokens, certificates, etc) provides a higher level of security than username and passwords. The generalized form of strong authentication is “something you know, something you hold”. Therefore, anything that requires a secret (the “something you know”) and authenticator like a token, USB fob, or certificate (the “something you hold”) is a stronger control than username and passwords (which is just “something you know”) or biometrics (“something you are”).

OWASP recommends strong authentication for certain applications:
:*for high value transactions
:*where privacy is a strong or legally compelled consideration (such as health records, government records, etc)
:*where audit trails are legally mandated and require a strong association between a person and the audit trail, such as banking applications
:*administrative access for high value or high risk systems

CAPTCHA
:OWASP does not recommend the use of CAPTCHA. Instead OWASP recommends that Website owner provide another method to sign up or register for a website offline or via another method. Site should use a “no follow” tag. Another option is to limit privileges of a newly signed up account or similar until a positive validation has occurred.

8) Given that most websites today provide significant amounts of services and information in a dynamic, evolving setting that would be difficult, if not impossible, to replicate through alternative, accessible means, to what extent can accessible alternatives still be provided? Might viable accessible alternatives still exist for simple, non-dynamic Web sites?
It is important that alternative means provide the same level of protection to the users, their data and the business systems, so that for example weaker authentication requirements in an alternative telephone service make it easier to steal a person's identity than through an online website service, or the telephone service can be used to assist exploitation of the website (e.g. enumerate usernames).

19) The Department is interested in gathering other information or data relating to the Department’s objective to provide requirements for Web accessibility under titles II and III of the ADA. Are there additional issues or information not addressed by the Department’s questions that are important for the Department to Consider?
In the OWASP response to Question 1, we stated that an accessible website can be secure. It is also worth mentioning that an insecure website possibly may not be accessible because it would be possible to create web pages (responses) which do not meet the conformance requirements. A simple example would be injecting code which includes inaccessible content from a third party website, or which breaks the code validity because an extra H1 tag has been inserted.

=== Draft Text version 2 ===

This response is submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee. OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a U.S. recognized 501(c)(3) not-for-profit charitable organization that ensures the ongoing availability and support for our work at OWASP.
OWASP has previously submitted responses to related standards and guidance:
:*BS 8878:2009 Web accessibility. Building accessible experiences for disabled people DPC
:*W3C Mobile Web Application Best Practices Working Draft and NIST documents such as NIST SP 800-37 (Rev 1), SP 800-53 (Rev 3), SP 800-122 and IR 7628.

1) Should the Department adopt the WCAG 2.0s "Level AA Success Criteria" as it's standard for Web site accessibility for entities covered by Titles II and III of the ADA? Is there any reason why the Department should consider adopting another success criteria level of the WCAG 2.0?
From a website security point of view, WCAG 2.0s "Level AA Success Criteria" is not inconsistent with having a secure website. Conformance levels A, AA and AAA all require additional considerations for security due to the use of:
:*input, storage and output of additional text
:*alternative forms of CATCHA
:*input, storage and output of additional files
:*third-party services
:*additional client-side scripting
:*flexible session timeouts
:*enforcing code validity
These can all be achieved using secure development practices, but the additional requirements increase complexity. There is one aspect in the more stringent "Level AAA Success Criteria" which would be difficult to achieve in a secure manner:
:*re-authentication recovery
Reference: "Can an accessible web application be secure? Assessment issues for security testers, developers and auditors", Colin Watson, OWASP AppSec Europe 2009, http://www.owasp.org/images/2/22/AppSecEU09_owasp_appsec_eu09_colin_watson_2.ppt

6) What Resources and services are available to public accommodations and public entities to make their Web sites accessible? What is the ability of covered entities to make their Web sites accessible with in-house staff? What technical assistance should the Department make available to public entities and public accommodations to assist them with complying with this rule?
The W3C WAI pages on WCAG 2.0 provide ample information. In particular the "Techniques and Failures for Web Content Accessibility Guidelines 2.0" provide excellent guidance and duplication of this effort elsewhere would appear to be un-necessary. In terms of ensuring the security is maintained, we recommend OWASP's own guidance documents, standards and tools such as the Top Ten, Development Guide, Code Review Guide, Testing Guide, Application Security Verification Standard and the Software assurance Maturity Model. These are already referenced by organizations such as DISA, NIST, NSA and the FFIEC.
Reference: OWASP Citations http://www.owasp.org/index.php/Industry:Citations

7) Are there distinct or specialized features used on Web sites that render compliance with accessibility requirements difficult or impossible?
At Conformance Level AA, no.

When applying website accessibility standards to transactional websites. (E-commerce, financial, healthcare, educational) It is important for users to understand that these websites must comply with security standards set forth to protect customer, patient and student information. These same security standards could make it more difficult for users with disabilities to utilize transactional websites.

The following features may render compliance with accessibility requirements difficult or impossible, however they are very important tools in protecting sensitive information in a transactional website.

Session Timeout
:One such standard is enforcing a session timeout. Session tokens that do not expire on the HTTP server can allow an attacker unlimited time to guess or brute-force a valid authenticated session token. If a user’s cookie file is captured or brute-forced, then an attacker can use these static session tokens to gain access to that user’s web account for that site. OWASP recommends that idle session time out for highly protected web applications are set at 5 minutes and no more than 20 minutes for low risk applications.

Passwords
:OWASP Recommends that website security policy for passwords include the following:
:*Password change frequency
:*Enforcement of a minimum password length
:*No maximum password length limits
:*Previous passwords should not be allowed to be chosen
:*Password lock out policy
:*Password complexity requirements
:*Password lock out

Strong Authentication
:Strong authentication (such as tokens, certificates, etc) provides a higher level of security than username and passwords. The generalized form of strong authentication is “something you know, something you hold”. Therefore, anything that requires a secret (the “something you know”) and authenticator like a token, USB fob, or certificate (the “something you hold”) is a stronger control than username and passwords (which is just “something you know”) or biometrics (“something you are”).

OWASP recommends strong authentication for certain applications:
:*for high value transactions
:*where privacy is a strong or legally compelled consideration (such as health records, government records, etc)
:*where audit trails are legally mandated and require a strong association between a person and the audit trail, such as banking applications
:*administrative access for high value or high risk systems

CAPTCHA
:OWASP does not recommend the use of CAPTCHA. Instead OWASP recommends that Website owner provide another method to sign up or register for a website offline or via another method. Site should use a “no follow” tag. Another option is to limit privileges of a newly signed up account or similar until a positive validation has occurred.

8) Given that most websites today provide significant amounts of services and information in a dynamic, evolving setting that would be difficult, if not impossible, to replicate through alternative, accessible means, to what extent can accessible alternatives still be provided? Might viable accessible alternatives still exist for simple, non-dynamic Web sites?
It is important that alternative means provide the same level of protection to the users, their data and the business systems, so that for example weaker authentication requirements in an alternative telephone service make it easier to steal a person's identity than through an online website service, or the telephone service can be used to assist exploitation of the website (e.g. enumerate usernames).

19) The Department is interested in gathering other information or data relating to the Department’s objective to provide requirements for Web accessibility under titles II and III of the ADA. Are there additional issues or information not addressed by the Department’s questions that are important for the Department to Consider?
In the OWASP response to Question 1, we stated that an accessible website can be secure. It is also worth mentioning that an insecure website possibly may not be accessible because it would be possible to create web pages (responses) which do not meet the conformance requirements. A simple example would be injecting code which includes inaccessible content from a third party website, or which breaks the code validity because an extra H1 tag has been inserted.

=== Draft Text version 1 ===

=== CW's notes ===

''CW: I think the following questions posed by the DoJ are the most relevant for response by OWASP. My comments on each of those are included below.''

1.) Should the Department adopt the WCAG 2.0s "Level AA Success Criteria" as it's standard for Web site accessibility for entities covered by Titles II and III of the ADA? Is there any reason why the Department should consider adopting another success criteria level of the WCAG 2.0?

:From a website security point of view, WCAG 2.0s "Level AA Success Criteria" is not inconsistent with having a secure website. Conformance levels A, AA and AAA all require additional considerations for security due to the use of:
:* input, storage and output of additional text
:* alternative forms of CATCHA
:* input, storage and output of additional files
:* third party services
:* additional client-side scripting
:* flexible session timeouts
:* enforcing code validity
:These can all be achieved using secure development practices, but the additional requirements increase complexity. There is one aspect in the more stringent "Level AAA Success Criteria" which would be difficult to achieve in a secure manner:
:* re-authentication recovery
:Reference: "Can an accessible web application be secure? Assessment issues for security testers, developers and auditors", Colin Watson, OWASP AppSec Europe 2009, http://www.owasp.org/images/2/22/AppSecEU09_owasp_appsec_eu09_colin_watson_2.ppt

6.) What Resources and services are available to public accommodations and public entities to make their Web sites accessible? What is the ability of covered entities to make their Web sites accessible with in-house staff? What technical assistance should the Department make available to public entities and public accommodations to assist them with complying with this rule?

:The W3C WAI pages on WCAG 2.0 provide ample information. In particular the "Techniques and Failures for Web Content Accessibility Guidelines 2.0" provide excellent guidance and duplication of this effeort elsewhere would appear to be un-necessary. In terms of ensuring the security is maintained, we recommed OWASP's own guidance documents, standards and tools such as the Top Ten, Development Guide, Code Review Guide, Testing Guide, Application Securitity Versification Standard and the Software assurance Maturity Model. These are already referenced by organisations such as DISA, NIST, NSA and the FFIEC.
:Reference: OWASP Citations http://www.owasp.org/index.php/Industry:Citations''

7.) Are there distinct or specialized features used on Web sites that render compliance with accessibility requirements difficult or impossible?

:At Conformance Level AA, no.

8.) Given that most websites today provide significant amounts of services and information in a dynamic, evolving setting that would be difficult, if not impossible, to replicate through alternative, accessible means, to what extent can accessible alternatives still be provided? Might viable accessible alternatives still exist for simple, non-dynamic Web sites?

:It is important that alternative means provide the same level of protection to the users, their data and the business systems, so that for example weaker authentication requirements in an alternative telephone service make it easier to steal a person's identity than through an online website service, or the telephone service can be used to assist exploitation of the website (e.g. enumerate usernames).

19.) The Department is interested in gathering other information or data relating to the Department’s objective to provide requirements for Web accessibility under titles II and III of the ADA. Are there additional issues or information not addressed by the Department’s questions that are important for the Department to Consider?

:In the OWASP response to Question 1, we stated that an accessible website can be secure. It is also worth mentioning that an insecure website possibly may not be accessible because it would be possible to create web pages (responses) which are do not met the conformance requirements. A simple example would be injecting code which includes inaccessible content from a third party website, or which breaks the code validity because an extra H1 tag has been inserted.

''Some customised About OWASP text''

This response is submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee. OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a U.S. recognized 501(c)(3) not-for-profit charitable organization, that ensures the ongoing availability and support for our work at OWASP.

OWASP has previously submitted responses to related standards and guidance:
* BS 8878:2009 Web accessibility. Building accessible experiences for disabled people DPC
* W3C Mobile Web Application Best Practices Working Draft
and NIST documents such as NIST SP 800-37 (Rev 1), SP 800-53 (Rev 3), SP 800-122 and IR 7628.

Return to [[Global Industry Committee]]

Industry:DOJ Nondiscrimination on the Basis of Disability

2010-11-08T22:40:17Z

Afry: /* Draft Text version 2 */

Industry:DOJ Nondiscrimination on the Basis of Disability

2010-11-08T22:38:32Z

Afry: /* Draft Text version 2 */

Industry:DOJ Nondiscrimination on the Basis of Disability

2010-11-08T22:33:03Z

Afry: /* Draft Text version 2 */

Industry:DOJ Nondiscrimination on the Basis of Disability

2010-11-08T21:35:48Z

Afry:

Industry:DOJ Nondiscrimination on the Basis of Disability

2010-11-08T21:04:59Z

Afry:

Global Industry Committee

2010-10-12T17:07:00Z

Afry: /* Work in Progress */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Eoin Keary
| eoin.keary 'at' owasp dot org
| Ireland
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

The committee chair is Colin Watson. From 1st November 2010, Yiannis Pavlosoglou will take over this role.

== Monthly Report ==

Date of last update: 29 September 2010
Updated by: CW

Accomplishments for this Month
* Finish writing article for BCS
* Continued work on Common Assurance Maturity Model in conjunction with OWASP Cloud 10 project (with ENISA, CSA, etc)
* Yiannis Pavlosoglou was elected unopposed as GIC chair from 1 Nov 2010
Planned for Next Month
* Review whether OWASP should respond to W3C Document Object Model (DOM) Level 3 Events Specification
* Follow up outreach to SPVA, USNA and USMMA
* Response to UK Office of Fair Trading consultation
Issues/Risks/Challenges
* Difficulty getting enough engagement with good contacts in all priority sectors
Financial costs to OWASP for calender year ending 31 Dec 2010 (2009)
* Budget: nil (nil)
* Actual: nil (nil)
* OWASP staff time: negligible (negligible)

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

* TBC
** Dial in number: +1 866 534 4754
** Call code 192341

Minutes of previous meetings are:

* [[Industry:Minutes_2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
* [[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 24 Jan 2011
| Standards
| In progress
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 8-11 Nov 2011
| Outreach
| In Progress
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 2010
| Standards
| In Progress
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]'s [http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework?searchterm=cloud Cloud Computing Information Assurance Framework].
| CW
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|-
|}

=== Completed Items ===

{| class="prettytable"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [[Industry:e-Consumer Protection Consultation |e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

2010-01-24T18:22:59Z

Afry: /* Completed Items */

2008-11-01T18:35:52Z

Afry:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# Verified that the workflow for introducing static analysis into OWASP projects has been created.
# Verified that 10 OWASP projects have been submitted to be analyzed on the owasp.fortify.com site to establish an OWASP baseline.
# Verified that the project has submitted the 25 most popular open source PHP projects to be analyzed on the owasp.fortify.com site to establish an open source baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
1. Workflow for introducing static analysis into OWASP projects (100%).
2. Analyzed 10 OWASP projects (100%).
3. Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}