https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=GeorghessOWASP - User contributions [en]2026-05-09T03:23:42ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=AppSec_US_2010,_CA/Attending_Owasp_Leaders&diff=88475AppSec US 2010, CA/Attending Owasp Leaders2010-09-01T13:43:30Z<p>Georghess: </p>
<hr />
<div>Page to manage the participation of the OWASP leaders at the [[AppSec_US_2010,_CA|AppSec USA in Irvine USA]]<br />
<br />
===Attending Leaders - Confirmed===<br />
<br />
* [[User:Dancornell|Dan Cornell]]- ''San Antonio Chapter and Global Membership Committee''<br />
* Tony UV - ''Atlanta Chapter''<br />
* [[User:Jmanico|Jim Manico]] - ''Podcast Project''<br />
* [[User:MichaelCoates|Michael Coates]] - ''AppSensor project and Global Membership Committee''<br />
* [[User:Knoblochmartin|Martin Knobloch]] - ''Education and Connections Committee''<br />
* [[User:Rsnake|Robert Hansen]] - ''Connections Committee''<br />
* [[User:Mtesauro|Matt Tesauro]] - ''Live CD project, Board Member''<br />
* [[User:Wichers|Dave Wichers]] - ''Top 10 project, Board Member''<br />
* [[User:brennan|Tom Brennan]] - ''NYC Chapter Leader, RFP Criteria project, OWASP-CRM, Board Member''<br />
* [[User:Jeff_Williams|Jeff Williams]] - ''ESAPI project, Board Member''<br />
* [[User:Dinis.cruz|Dinis Cruz]] - ''O2 Platform project, Board Member''<br />
* [http://www.owasp.org/index.php/User:Dc David Campbell] - ''Denver Chapter, Industry Committee''<br />
* [http://www.owasp.org/index.php/User:Justin42 Justin Clarke] - ''London Chapter and Connections Committee''<br />
* Roman Hustad - ''Sacramento Chapter''<br />
* Peter Dean - ''NYC Chapter Leader''<br />
* Georg Hess - ''German Chapter, Industry Committee''<br />
<br />
'''Part of the conference organization'''<br />
* Cassio Goldschmidt - ''Los Angeles Chapter''<br />
* [[:User:Tin Zaw|Tin Zaw]] - ''Los Angeles Chapter''<br />
* Howard Fore - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* Jon Bango - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* [[User:Richard greenberg|Richard Greenberg]] - ''Los Angeles Chapter''<br />
* [http://twitter.com/nilematotle Neil Matatall] - ''[[http://www.owasp.org/index.php/Orange_County Orange County Chapter]]''<br />
<br />
===Also attending (part of OWASP community)===<br />
* Joseph Dawson<br />
<br />
===Attending Leaders - TBC===<br />
* [[User:Lorna Alamri|Lorna Alamri]] - ''Connections Committee''<br />
<br />
===Key WebAppSec players===<br />
objective: identfy potential synergies between WebAppSec industry players and OWASP leaders (for example too meet and have a meeting)<br />
<br />
* Firefox Browser <br />
** There are a number of Firefox employees participating and they have shown interest in talking to OWAPS about how we can work together<br />
<br />
===Developers and QA participating===<br />
'''Sponsored by the Atlanta Chapter'''<br />
Howard Fore (Atlanta Developer) - Howard Fore is a senior web developer in Atlanta, Georgia. He's involved in some high-visibility web projects at the Federal Reserve Bank of Atlanta. Increasing awareness of secure software development practices is an departmental objective for 2010 and he's a member of the security workgroup, which is leading the way in that endeavor. Other practices the security workgroup are implementing include static code analysis and code inspection.<br />
<br />
Jon Bango (Atlanta Developer) - Jon Bango is an Information Technology professional with over 13 years experience in the education, financial services and retail industries. Primarily working at the enterprise level, Jon has utilized the J2EE stack in building web applications for the largest home improvement retailer in the world. Most recently he has branched out into RIA technologies working in Adobe Flex and Microsoft Silverlight. Currently, Jon has transitioned into the dark arts at his company’s Information Assurance department in which the groundwork has been laid to utilize his developer talents to create a company wide secure coding initiative.<br />
<br />
<br />
''Question:Should we also do the same tracking for other Developers and QA/Testing professionals?''<br />
<br />
===To do (tasks)===<br />
* for each each participant<br />
** link to MediaWiki user page<br />
** add twitter accounts<br />
*Travel arrangements<br />
** map travel dates<br />
** when/where they are arriving <br />
** where are they staying<br />
* figure out what to do with the leaders when they are there<br />
* should we create a welcome pack for these leaders?<br />
* should we see if they need help in their travel arrangements?<br />
* should we see if its possible to find a local host for the accomodation (it is always better than going into an hotel)?<br />
* do we need a budget? if so, how much?<br />
<br />
[[Category:Connections Committee]]</div>Georghesshttps://wiki.owasp.org/index.php?title=AppSec_US_2010,_CA/Attending_Owasp_Leaders&diff=88474AppSec US 2010, CA/Attending Owasp Leaders2010-09-01T13:42:42Z<p>Georghess: </p>
<hr />
<div>Page to manage the participation of the OWASP leaders at the [[AppSec_US_2010,_CA|AppSec USA in Irvine USA]]<br />
<br />
===Attending Leaders - Confirmed===<br />
<br />
* [[User:Dancornell|Dan Cornell]]- ''San Antonio Chapter and Global Membership Committee''<br />
* Tony UV - ''Atlanta Chapter''<br />
* [[User:Jmanico|Jim Manico]] - ''Podcast Project''<br />
* [[User:MichaelCoates|Michael Coates]] - ''AppSensor project and Global Membership Committee''<br />
* [[User:Knoblochmartin|Martin Knobloch]] - ''Education and Connections Committee''<br />
* [[User:Rsnake|Robert Hansen]] - ''Connections Committee''<br />
* [[User:Mtesauro|Matt Tesauro]] - ''Live CD project, Board Member''<br />
* [[User:Wichers|Dave Wichers]] - ''Top 10 project, Board Member''<br />
* [[User:brennan|Tom Brennan]] - ''NYC Chapter Leader, RFP Criteria project, OWASP-CRM, Board Member''<br />
* [[User:Jeff_Williams|Jeff Williams]] - ''ESAPI project, Board Member''<br />
* [[User:Dinis.cruz|Dinis Cruz]] - ''O2 Platform project, Board Member''<br />
* [http://www.owasp.org/index.php/User:Dc David Campbell] - ''Denver Chapter, Industry Committee''<br />
* [http://www.owasp.org/index.php/User:Justin42 Justin Clarke] - ''London Chapter and Connections Committee''<br />
* Roman Hustad - ''Sacramento Chapter''<br />
* Peter Dean - ''NYC Chapter Leader''<br />
* [[User:georghess|Georg Hess]] - ''German Chapter, Industry Committee''<br />
<br />
'''Part of the conference organization'''<br />
* Cassio Goldschmidt - ''Los Angeles Chapter''<br />
* [[:User:Tin Zaw|Tin Zaw]] - ''Los Angeles Chapter''<br />
* Howard Fore - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* Jon Bango - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* [[User:Richard greenberg|Richard Greenberg]] - ''Los Angeles Chapter''<br />
* [http://twitter.com/nilematotle Neil Matatall] - ''[[http://www.owasp.org/index.php/Orange_County Orange County Chapter]]''<br />
<br />
===Also attending (part of OWASP community)===<br />
* Joseph Dawson<br />
<br />
===Attending Leaders - TBC===<br />
* [[User:Lorna Alamri|Lorna Alamri]] - ''Connections Committee''<br />
<br />
===Key WebAppSec players===<br />
objective: identfy potential synergies between WebAppSec industry players and OWASP leaders (for example too meet and have a meeting)<br />
<br />
* Firefox Browser <br />
** There are a number of Firefox employees participating and they have shown interest in talking to OWAPS about how we can work together<br />
<br />
===Developers and QA participating===<br />
'''Sponsored by the Atlanta Chapter'''<br />
Howard Fore (Atlanta Developer) - Howard Fore is a senior web developer in Atlanta, Georgia. He's involved in some high-visibility web projects at the Federal Reserve Bank of Atlanta. Increasing awareness of secure software development practices is an departmental objective for 2010 and he's a member of the security workgroup, which is leading the way in that endeavor. Other practices the security workgroup are implementing include static code analysis and code inspection.<br />
<br />
Jon Bango (Atlanta Developer) - Jon Bango is an Information Technology professional with over 13 years experience in the education, financial services and retail industries. Primarily working at the enterprise level, Jon has utilized the J2EE stack in building web applications for the largest home improvement retailer in the world. Most recently he has branched out into RIA technologies working in Adobe Flex and Microsoft Silverlight. Currently, Jon has transitioned into the dark arts at his company’s Information Assurance department in which the groundwork has been laid to utilize his developer talents to create a company wide secure coding initiative.<br />
<br />
<br />
''Question:Should we also do the same tracking for other Developers and QA/Testing professionals?''<br />
<br />
===To do (tasks)===<br />
* for each each participant<br />
** link to MediaWiki user page<br />
** add twitter accounts<br />
*Travel arrangements<br />
** map travel dates<br />
** when/where they are arriving <br />
** where are they staying<br />
* figure out what to do with the leaders when they are there<br />
* should we create a welcome pack for these leaders?<br />
* should we see if they need help in their travel arrangements?<br />
* should we see if its possible to find a local host for the accomodation (it is always better than going into an hotel)?<br />
* do we need a budget? if so, how much?<br />
<br />
[[Category:Connections Committee]]</div>Georghesshttps://wiki.owasp.org/index.php?title=Global_Conferences_Committee_-_John_Wilander&diff=73195Global Conferences Committee - John Wilander2009-11-13T16:33:52Z<p>Georghess: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| border="0" align="center" style="width: 100%;"<br />
|-<br />
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Applicant's Name''' <br />
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | <font color="black">John Wilander</font><br />
|-<br />
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Current and past OWASP Roles''' <br />
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | Chapter leader Sweden, Conference chair AppSec Research 2010<br />
|-<br />
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Committee Applying for''' <br />
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | OWASP Global Conferences Committee<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| border="0" align="center" style="width: 100%;"<br />
|-<br />
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="8" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black"></font> <br />
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Who Recommends/Name'''</font> <br />
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Role in OWASP'''</font> <br />
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Recommendation Content'''</font><br />
|-<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''1''' <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Yiannis Pavlosoglou <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Leader: JBroFuzz <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Full support towards being part of the conferences committee from the European side.<br />
|-<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''2''' <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Carl-Johan Bostorp <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | OC-member AppSec Research 2010 <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | John has consistently shown dedication to security for many years and have great people skills.<br />
|-<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''3''' <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Arshan Dabirsiaghi <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project leader <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | John has a sweet beard.<br />
|-<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''4''' <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Eric Sheridan <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Leader <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Has a Mac too.<br />
|-<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''5''' <br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Georg Hess<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | German Chapter Leader<br />
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Done already a great job on OWASP AppSec EU 2010.<br />
|}<br />
<br />
----</div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65567Category:OWASP CSA Project2009-07-08T14:30:37Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below Figure 4: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>69</td><td> PaaS Impact on Application Security Architecture, should be added as a last sentence of first paragraph "On the other hand, PaaS providers may offer built-in application security controls within their - already restricted - programming environment to help developers avoid known application vulnerabilities. </td><td> Georg Hess</td></tr><br />
<tr><td>70</td><td> "Final thoughts" section: This section is completely lacking of "classical" web app vulnerabilities like OWASP Top 10 that currently are - and in my opinion will still be - most relevant also in the cloud context. I suggest to, at least, mention some of the classical attack vectors like e.g. Cross-Site-Scripting, SQL-Injection, OWASP Top10 etc. in addition to JavaScript etc. - and perhaps re-work this chapter with a bit more time later on.... </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65563Category:OWASP CSA Project2009-07-08T14:18:06Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below Figure 4: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>69</td><td> PaaS Impact on Application Security Architecture, should be added as a last sentence of first paragraph "On the other hand, PaaS providers may offer built-in application security controls within their - already restricted - programming environment to help developers avoid known application vulnerabilities. </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65561Category:OWASP CSA Project2009-07-08T14:09:52Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below Figure 4: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>69</td><td> PaaS Impact on Application Security Architecture, should be added as a last sentence of first paragraph "On the other hand, PaaS providers may offer built-in application security controls within their - already restrictd - programming environment to help developers avoid known application vulnerabilities. </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65555Category:OWASP CSA Project2009-07-08T11:50:12Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below Figure 4: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> PaaS Impact on Application Security Architecture, should be added as a last sentence of first paragraph "On the other hand, PaaS providers may offer built-in application security controls within their - already restrictd - programming environment to help developers avoid known application vulnerabilities. </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65554Category:OWASP CSA Project2009-07-08T11:42:12Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below Figure 4: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65553Category:OWASP CSA Project2009-07-08T11:41:35Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>67</td><td> First sentence below first graphic: should be rewritten "...and the vendor through application specific security services and controls and the Service Level Agreement (SLA)...." . </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65552Category:OWASP CSA Project2009-07-08T11:28:41Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, second sentence, should be rewritten "... put in place to secure the application itself, the host and the network...." . </td><td> Georg Hess</td></tr><br />
<tr><td>66</td><td> IaaS Impact on Application Security Architecture, should be added as a last sentence "IaaS providers may offer - third-party or on their own - cloud application security specific services - e.g. Web App Security Scanning, Source Code Analysis or Web App Intrusion Detection/Prevention Systems - to increase security at the application layer and to support customers in fulfilling application specific compliance requirements. </td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65551Category:OWASP CSA Project2009-07-08T11:15:47Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered.</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor.</td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65550Category:OWASP CSA Project2009-07-08T11:15:08Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered."</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered."</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Issues and Guidance, last sentence of first paragraph should be rewritten "... a set of application level controls and through the appropriate choice of cloud services - e.g. Web App Security Scanning, Source Code Analysis or Web App Firewalls - and the through the service agreement with the cloud vendor."</td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65549Category:OWASP CSA Project2009-07-08T11:07:43Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered."</td><td> Georg Hess</td></tr><br />
<tr><td>65</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered."</td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65548Category:OWASP CSA Project2009-07-08T10:43:36Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>11</td><td> Could start with "Cloud Applications are Web Applications in particular. Thus, virtually all of the challenges of Web Application Security apply to cloud applications, too. This document focuses on the new challenges of web applications "living in the cloud" but all knowledge about "classical" Web Application Security such as provided by OWASP should still be considered."</td><td> Georg Hess</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Category:OWASP_CSA_Project&diff=65547Category:OWASP CSA Project2009-07-08T10:17:22Z<p>Georghess: </p>
<hr />
<div>Last Updated: 6/25/2009<br />
<br />
<hr><br />
<b>Mission of CSA_Project Collective</b><br />
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing<br />
<br />
Primary Project Website: [http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org]<br />
<br><br />
Project leaders: Warren Axelrod & Michael Sutton <br />
<br />
Version 1.0 Document: [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Get it Now] and [http://cloudsecurityalliance.org/guidance Additional CSA resources]<br />
<br />
<h1><center><b> Deadline for RFC July 8th 2009 </b></center></h1><br />
<br />
<hr><br />
<br />
If you would like to contribute to this effort as a OWASP voice of Industry/Projects you can and its VERY simple to get started.<br />
<br />
Step #1 - Review V1.0 http://www.cloudsecurityalliance.org/guidance/csaguide.pdf<br />
<br />
Step #2 - Condense your written comments, references for improvement and suggestions and review/post them to the WIKI - http://www.owasp.org/index.php/Category:OWASP_CSA_Project. This location will be monitored by CSA for inclusion into Version 2.0<br />
<br />
Step #3 - Add your name to the wiki page if you would like to work on this effort. The goal is to utilize the experts at OWASP to review and comment as a collective group and reference OWASP existing materials to help the CSA effort and to raise awareness to others about OWASP.<br />
<br />
<b><u>Name/eMail/Phone</u></b><br />
<br />
Tom Brennan/tomb(at)owasp.org/9732020122<br />
<br />
Michael Coates/michael.coates(at)owasp.org/6302072567<br />
<br />
Adam Muntner/Adam.Muntner(at)quietmove.com/6024459801<br />
<br />
Arthur Hedge/ahedge(at)castleventures.com/9735388004<br />
<br />
Georg Hess/georg.hess(at)artofdefence.com/+4994160488958<br />
<hr><br />
<br />
Comments on the Domain 11: Application Security Page 65-71 (not limited to that domain BTW)<br />
<table border=1><br />
<tr><br />
<td><br />
Page #</td> <td> Comment </td> <td> Your Name </td></tr><br />
<br />
<tr><td>4</td> <td>Include OWASP member attribution and affiliation. The more names, the better</td><td>James McGovern</td></tr><br />
<br />
<tr><td>27</td> <td>PCI defines requirements above and beyond just payment processing. Challenges such as file integrity monitoring and patch management become more nebulous in a cloud</td><td>James McGovern</td></tr><br />
<br />
<tr><td>34</td> <td>Additional considerations may include constructs such as receiving a document preservation notice where a court may order you to restore a system to a known point in time. The fluidity of a cloud makes this challenging</td><td>James McGovern</td></tr><br />
<br />
<tr><td>72</td> <td>The second sentence of the Issuance and Guidance on page 72 is misleading and factually incorrect. "Encrypted data is intrinsically protected; if someone has the data without its corresponding keys, they cannot use the data at all." Encrypting data will guarantee that the data is not viewed or modified by a party that does not possess the corresponding keys. However, encrypted data can be used in reply attacks. As such, it is imperative that the transfer of encrypted data utzilize secure tokens and timestamps to ensure the transmission is not subject to replay attacks. The use of SSL/TLS for data transmission will provide both encryption of data and protection against replay attacks.</td><td>Michael Coates</td></tr><br />
<br />
<tr><td>65</td><td>The entire Domain 11, Application Security, seems to focus more on some minor architecture differences, but doesn't focus on acutal application level threats - XSS, CSRF, SQL etc injection attacks, and business logic holes such as authentication/authorization issues.</td><td> Adam Muntner </td></tr><br />
<tr><td>65</td><td> "For application security, the answer to each of these questions has two: what <br />
security controls must the application provide over and above the controls inherent in the cloud <br />
platform and how must an enterprise’s secure development lifecycle change to accommodate <br />
cloud computing?"<br />
This is the only quote in the Problem Statement which is relevant. The rest can safely be scrubbed. </td><td>Adam Muntner </td></tr><br />
<tr><td>70</td><td> "Final Thoughts" section: Attack methods are well known. OWASP Testing Guide is one point of reference, and OSSTM is another. How will malicious actors react? By being malicious actors. A list of web links for further research would be more useful.</td><td> Adam Muntner </td></tr><br />
<tr><td>13</td><td> Authentication mentioned - should refer to Authorization as well </td><td> Adam Muntner </td></tr><br />
<tr><td>71</td><td> The [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]], [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API]] and [[:Category:Software Assurance Maturity Model|OWASP Software Assurance Maturity Model]] should be added to the list of references </td><td> Colin Watson </td></tr><br />
<tr><td>48</td><td>Consideration should be given to having cloud providers produce audit reports of privileged user access and activity to the data owner.</td><td> Arthur Hedge </td></tr><br />
<tr><td>7</td><td>Should be rewritten to "Domain 1 principles of cloud computing" or "Domain 1 principal characteristics of cloud computing"</td><td> Arthur Hedge</td></tr><br />
<tr><td>28</td><td> Should be "Procedures for addressing a Legal Hold;" instead of "Procedures for address a Legal Hold;" </td><td> Arthur Hedge</td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<tr><td>page#</td><td> Comment Here </td><td> Name here </td></tr><br />
<br />
</table><br />
Comments on the Domain 11: Application Security Page 65-71 <br />
<br />
Page # Comment Your Name<br />
===================================================================================<br />
<br />
<br />
<hr></div>Georghesshttps://wiki.owasp.org/index.php?title=Global_Industry_Committee_-_Application_1&diff=51360Global Industry Committee - Application 12009-01-16T12:39:58Z<p>Georghess: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Colin Watson<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<br />
* EU Summit 08 - OWASP Awards working session chair<br />
* EU Summit 08 - Event organisational assistance<br />
* Coordination of OWASP UK chapters' response ([[London#Other_Activities]]) to the UK's Central Office of Information draft document on browser standards for public websites<br />
* Participation in nomination of [http://www.nominet.org.uk/news/latest/2008/?contentId=5147 OWASP for Nominet Best Practice Awards 2008]<br />
* Speaker at OWASP London chapter meeting<br />
* Individual member<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Industry Committee.<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Eduardo V. C. Neves<br />
| style="width:20%; background:#cccccc" align="center"| Positive Security Project Leader and Education Global Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin is hands on professional which is able to make thinks done very quickly and in a high quality fashion. I believe that he will be a great member for this committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| David Rook<br />
| style="width:20%; background:#cccccc" align="center"| OWASP Code Review Guide Contributor, OWASP Ireland Contributor<br />
| style="width:57%; background:#cccccc" align="left"| Colin has the drive and knowledge to lead OWASP efforts at the committee level. He has excellent knowledge across many security areas and a professional positive attitude towards helping people understand and embrace information security. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"| Paulo Coimbra<br />
| style="width:20%; background:#cccccc" align="center"| Project Manager<br />
| style="width:57%; background:#cccccc" align="left"| Colin Watson was one of the OWASP Summit co-organizers. To me, his performance was absolutely outstanding. His calm reliability can be a valuable asset. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| David Campbell<br />
| style="width:20%; background:#cccccc" align="center"| Industry Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin was instrumental in organizing the Portugal Summit, and provided much valuable input to the Intra Gov't affairs working group. He will be a great asset to the Industry committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"| Rex Booth<br />
| style="width:20%; background:#cccccc" align="center"| Industry Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin has been an active participant in the Industry Committee since its inception in Portugal. He absolutely deserves to be an official member and we could certainly use his assistance!<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''6'''<br />
| style="width:20%; background:#cccccc" align="center"| Mano Paul<br />
| style="width:20%; background:#cccccc" align="center"| Global Education Committee Chair<br />
| style="width:57%; background:#cccccc" align="left"| Colin was extremely helpful with all his voluntary helpful to make the OWASP EU summit at Portugal, a success. My interactions with him left me in respect of him for his background and experience and in what he has to offer to OWASP. I can vouch confidently that his official involvement in the Industry Committee will undoubtedly reflect positively on OWASP and you consideration would be appreciated. Highly recommend. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''7'''<br />
| style="width:20%; background:#cccccc" align="center"| Ivan Ristic<br />
| style="width:20%; background:#cccccc" align="center"| Former OWASP London Leader<br />
| style="width:57%; background:#cccccc" align="left"| Colin is not only a regular visitor of OWASP London meetings, but someone who's willing to lend a hand when help is needed. He strikes me as a person who can be relied upon to do the right thing. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''8'''<br />
| style="width:20%; background:#cccccc" align="center"| Georg Hess<br />
| style="width:20%; background:#cccccc" align="center"| Industry Committee Member, OWASP Germany Chapter Leader<br />
| style="width:57%; background:#cccccc" align="left"| Colin contributed from the very start of the Global Industry Committee - in particular with his expertise in the UK market. It is obvious that he should be "on board". <br />
|}<br />
----</div>Georghesshttps://wiki.owasp.org/index.php?title=OWASP_Working_Session_Top_10_2009&diff=45176OWASP Working Session Top 10 20092008-10-30T18:17:27Z<p>Georghess: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Top 10 2009'''<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|Aims to provide a key awareness document for web application security.<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|[[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:dave.wichers(at)owasp.org '''Dave Wichers''']<br />
| style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:jeff.williams(at)owasp.org '''Jeff Williams''']<br />
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-topten '''Subscription Page''']<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION SPECIFICS''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black"><br />
* Discuss current Top10 structure and objectives,<br />
* Identify which information sources will be considered for analysis, Eg:<br />
** MITRE<br />
** Compromise DB's (Attrition, WASC etc) and bias due to reporting<br />
** Anonomised penetration test results and the difficulty in obtaining<br />
* Define methodology to collect attacks statistics,<br />
* Define prioritisation approach<br />
** Agree weighting between current or emerging threats<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]] <br />
| style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5 & 7, 2008<br>Time TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees"<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
<br />
{|style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="left"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.<br />
<br />
Potential Resources:<br />
<br />
* [http://cve.mitre.org/cve/ MITRE's Common Vulnerability Enumeration (CVE) Database]<br />
<br />
* The [http://www.webappsec.org/projects/whid/whid.shtml WASC Web Hacking Incidents Database]<br />
<br />
* The [http://www.webappsec.org/projects/statistics/ 2007 WASC Web Application Security Statistics Report]<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES''' <br />
|-<br />
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions <br />
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group''' <br />
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"| <br />
| style="width:46%; background:#C2C2C2" align="center"|The sources of input for the 2009 Top 10 will be identified.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"| <br />
| style="width:46%; background:#C2C2C2" align="center"|The ordering scheme for the Top 10 will be determined.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Discussion of whether the existing document structure should be maintained or adjusted.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|}<br />
''''''Bold text''''''== Working Session Participants ==<br />
(Add your name by editing this table. On the right, just above this frame, you have the option to edit)<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS''' <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|'''Name'''<br />
| style="width:15%; background:#cccccc" align="center"|'''Company'''<br />
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|1<br />
| style="width:15%; background:#cccccc" align="center"|Paolo Perego<br />
| style="width:15%; background:#cccccc" align="center"|Spike Reply<br />
| style="width:63%; background:#cccccc" align="center"|As penetration tester it woud be great to me to participating in writing the new Top 10. As code reviewer and Orizon project leader it would be very interesting in scouting dynamic threats in order to add some dynamic feature to my tool.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|2<br />
| style="width:15%; background:#cccccc" align="center"|David Campbell<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Denver<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|3<br />
| style="width:15%; background:#cccccc" align="center"|Robert Mann<br />
| style="width:15%; background:#cccccc" align="center"|RBS / ABN AMRO<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:15%; background:#cccccc" align="center"|Troy Leach<br />
| style="width:15%; background:#cccccc" align="center"|[https://www.pcisecuritystandards.org/ PCI Security Standards Council]<br />
| style="width:63%; background:#cccccc" align="center"|Technical Director<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|5<br />
| style="width:15%; background:#cccccc" align="center"|Eoin Keary<br />
| style="width:15%; background:#cccccc" align="center"|Ernst & Young. Long time OWASP member (Code and Testing guides)<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|6<br />
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci<br />
| style="width:15%; background:#cccccc" align="center"| Minded Security<br />
| style="width:63%; background:#cccccc" align="center"| I'd like to discuss about a new way to create the Top10 from the OWASP Community<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|7<br />
| style="width:15%; background:#cccccc" align="center"|Giorgio Fedon<br />
| style="width:15%; background:#cccccc" align="center"|Minded Security<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|8<br />
| style="width:15%; background:#cccccc" align="center"|Andrea Cogliati<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Rochester, NY<br />
| style="width:63%; background:#cccccc" align="center"|I volunteered as a technical writer<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|9<br />
| style="width:15%; background:#cccccc" align="center"|Christian Martorella<br />
| style="width:15%; background:#cccccc" align="center"|S21sec<br />
| style="width:63%; background:#cccccc" align="center"|Interested in participating on the creating the Top 10, share some ideas.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|10<br />
| style="width:15%; background:#cccccc" align="center"|Nishi Kumar<br />
| style="width:15%; background:#cccccc" align="center"|Systems Architect (FIS) Global Web Development Group<br />
| style="width:63%; background:#cccccc" align="center"|Interested in participating and sharing ideas<br />
<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|11<br />
| style="width:15%; background:#cccccc" align="center"| Tom Brennan<br />
| style="width:15%; background:#cccccc" align="center"| OWASP/WhiteHat Security<br />
| style="width:63%; background:#cccccc" align="center"| Want to discuss some of the stats we can share with OWASP<br />
<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|12<br />
| style="width:15%; background:#cccccc" align="center"| Georg Hess<br />
| style="width:15%; background:#cccccc" align="center"| OWASP Germany<br />
| style="width:63%; background:#cccccc" align="center"| mainly to get some insight into the process<br />
|}<br />
<br />
If needed add here more lines.<br />
<br />
[[Category:OWASP_Working_Session]]</div>Georghesshttps://wiki.owasp.org/index.php?title=Working_Session_OWASP_Strategic_Planning&diff=45175Working Session OWASP Strategic Planning2008-10-30T18:07:22Z<p>Georghess: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Strategic Planning'''<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|Discuss and prepare the OWASP Strategic Planing. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:jeff.williams(at)owasp.org Jeff Williams], [mailto:dinis.cruz(at)owasp.org Dinis Cruz], [mailto:dave.wichers(at)owasp.org Dave Wichers], [mailto:seba@owasp.org Sebastien Deleersnyder], [mailto:tomb(at)owasp.org Tom Brennan]. <br />
| style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/admin/ws-strategic-planning/logout Subscription Page]<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION SPECIFICS''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black"><br />
* Discuss OWASP Past, Present and Future,<br />
* Projects organization and rating,<br />
* Global Community Outreach (PR Issues, Pro Bono opportunities) <br />
* Procedures for OWASP Standardization,<br />
* Discuss OWASP Governance,<br />
* Discuss Chapter Governance.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]] <br />
| style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 4 & 7, 2008 <br>Time TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees" or "Everybody is a Participant" - TBD<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
<br />
{|style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES''' <br />
|-<br />
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions <br />
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group''' <br />
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"| <br />
| style="width:46%; background:#C2C2C2" align="center"|Action Plan for 2009.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"| <br />
| style="width:46%; background:#C2C2C2" align="center"|Strategies and recommendations for current OWASP projects.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|}<br />
== Working Session Participants ==<br />
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS''' <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:18%; background:#cccccc" align="center"|'''Name'''<br />
| style="width:15%; background:#cccccc" align="center"|'''Company'''<br />
| style="width:60%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|1 <br />
| style="width:18%; background:#cccccc" align="center"|Kate & Paulo<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Foundation<br />
| style="width:60%; background:#cccccc" align="center"|Employees <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|2<br />
| style="width:18%; background:#cccccc" align="center"|David Campbell<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Denver<br />
| style="width:60%; background:#cccccc" align="center"|Chapter governance, etc<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|3<br />
| style="width:18%; background:#cccccc" align="center"|Matteo Meucci<br />
| style="width:15%; background:#cccccc" align="center"|OWASP-Italy<br />
| style="width:15%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:18%; background:#cccccc" align="center"|Steve Antoniewicz<br />
| style="width:15%; background:#cccccc" align="center"|OWASP NYC<br />
| style="width:60%; background:#cccccc" align="center"|Partnerships<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|5<br />
| style="width:18%; background:#cccccc" align="center"|Andrea Cogliati<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Rochester, NY<br />
| style="width:60%; background:#cccccc" align="center"|Interested in reaching out academia<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|6<br />
| style="width:18%; background:#cccccc" align="center"|Georg Hess<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Germany<br />
| style="width:60%; background:#cccccc" align="center"|Global topics and positioning<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|7<br />
| style="width:18%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:60%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|8<br />
| style="width:18%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:60%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|9<br />
| style="width:18%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:60%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|10<br />
| style="width:18%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:60%; background:#cccccc" align="center"|<br />
|}<br />
If needed add here more lines.<br />
<br />
[[Category:OWASP_Working_Session]]</div>Georghess