OWASP - User contributions [en]

Chapter Spending Guidelines

2019-04-30T11:41:08Z

Sapao: /* Spending Guidelines */ Changed formatting to improve readability

== Handling Money ==

Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner.

A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records.

== Spending Guidelines ==

For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:
* Meeting venue rental
* Refreshments for a meeting
* Promotion of a meeting
* OWASP Merchandise
If, however, the expense does not fall under one of the above categories or is greater than $500, a second person (another chapter leader or board member if possible) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, a second signer is still required. Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer. The exact details of the reimbursement process can be found under [[Reimbursement_Process_Details|Reimbursement Process Details]]

From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the "Additional Resources" section of the [[Funding|OWASP Funding page]] (Chapter and Project Funding Totals) to see your chapter's current funding balance.

Exceptions to the guidelines can be brought to the Executive Director for approval and tracking.

Vienna

2019-04-05T14:47:55Z

Sapao:

{{Chapter Template|chaptername=Vienna|extra=The chapter leaders are [mailto:lucas.ferreira@owasp.org Lucas Ferreira], [mailto:sebastian.bicchi@owasp.org Sebastian Bicchi] and [mailto:andreas.happe@owasp.org Andreas Happe].
|meetupurl=https://www.meetup.com/OWASP-Vienna-Chapter/|region=Europe}}

== Local News ==
<blockquote>'''The old OWASP-Austria mailing list no longer exists. A new mailing is available at''' https://groups.google.com/a/owasp.org/forum/#!forum/vienna-chapter. Instructions to join are available at: https://docs.google.com/document/d/1TBzgvB8Tb0aAZnEy2qYzLnrzJuRzK_T91Em09DVf5YA/edit</blockquote>
'''Our first meeting will be a social at the Wieden Braeu. It will be on March, 21th (Thursday) at 18:00. This is the first opportunity to start defining how we will run our new Chapter. '''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]

Vienna

2019-04-03T07:45:04Z

Sapao: /* Local News */

{{Chapter Template|chaptername=Vienna|extra=The chapter leaders are [mailto:lucas.ferreira@owasp.org Lucas Ferreira], [mailto:sebastian.bicchi@owasp.org Sebastian Bicchi] and [mailto:andreas.happe@owasp.org Andreas Happe].
|meetupurl=https://www.meetup.com/OWASP-Vienna-Chapter/|region=Europe}}

== Local News ==
<blockquote>'''The old OWASP-Austria mailing list no longer exists. A new mailing is available at''' https://groups.google.com/a/owasp.org/forum/#!forum/vienna-chapter</blockquote>
'''Our first meeting will be a social at the Wieden Braeu. It will be on March, 21th (Thursday) at 18:00. This is the first opportunity to start defining how we will run our new Chapter. '''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]

Vienna

2019-04-02T11:21:01Z

Sapao: /* Local News */

{{Chapter Template|chaptername=Vienna|extra=The chapter leaders are [mailto:lucas.ferreira@owasp.org Lucas Ferreira], [mailto:sebastian.bicchi@owasp.org Sebastian Bicchi] and [mailto:andreas.happe@owasp.org Andreas Happe].
|meetupurl=https://www.meetup.com/OWASP-Vienna-Chapter/|region=Europe}}

== Local News ==
<blockquote>'''The old OWASP-Austria mailing list no longer exists. A new mailing list has been requested and we will send notifications when it is ready.'''</blockquote>
'''Our first meeting will be a social at the Wieden Braeu. It will be on March, 21th (Thursday) at 18:00. This is the first opportunity to start defining how we will run our new Chapter. '''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]

Vienna

2019-03-04T18:57:59Z

Sapao: /* Local News */

{{Chapter Template|chaptername=Vienna|extra=The chapter leaders are [mailto:lucas.ferreira@owasp.org Lucas Ferreira] and [mailto:sebastian.bicchi@owasp.org Sebastian Bicchi].
|meetupurl=https://www.meetup.com/OWASP-Vienna-Chapter/|region=Europe}}

== Local News ==

'''Our first meeting will be a social at the Wieden Braeu. It will be on March, 21th (Thursday) at 18:00. This is the first opportunity to start defining how we will run our new Chapter. '''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]

User:Sapao

2014-09-15T21:21:17Z

Sapao: /* Involvement in OWASP */

=Lucas C. Ferreira=

==Involvement in OWASP==
Past "titles":
* [[Global Conferences Committee]] member
* [[Brasilia]], DF, Brazil chapter leader
* [[OWASP Portuguese Language Project]] co-leader
* OWASP [[AppSec Brasil 2009]] General Chair
* OWASP [[AppSec Brasil 2010]] General Chair
* OWASP [[AppSecLatam2011]] Program committee Chair

==How I got involved in OWASP==
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a "Secure Programming in Java" training in Portuguese and was working with some friends to organize training sessions in Brazil.

At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.

During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.

After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:

* OWASP [[Brasilia]] Chapter
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation
* Developing OWASP [[WebGoat]]-based trainings

Although I gave up all my "titles" at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.

==About me==

I don't like talking about me. Google it.

==Why Sapão==
This a long story. To make it short: it is my long time nickname (since my teen years).

I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.

User:Sapao

2012-10-22T17:50:05Z

Sapao: /* Involvement in OWASP */

=Lucas C. Ferreira=

==Involvement in OWASP==
Past "titles":
* [[Global Conferences Committee]] member
* [[Brasilia]], DF, Brazil chapter leader
* [[OWASP Portuguese Language Project]] co-leader
* OWASP [[AppSec Brasil 2009]] General Chair
* OWASP [[AppSec Brasil 2010]] General Chair

==How I got involved in OWASP==
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a "Secure Programming in Java" training in Portuguese and was working with some friends to organize training sessions in Brazil.

At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.

During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.

After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:

* OWASP [[Brasilia]] Chapter
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation
* Developing OWASP [[WebGoat]]-based trainings

Although I gave up all my "titles" at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.

==About me==

I don't like talking about me. Google it.

==Why Sapão==
This a long story. To make it short: it is my long time nickname (since my teen years).

I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.

User:Sapao

2012-10-22T17:49:49Z

Sapao: /* Involvement in OWASP */

=Lucas C. Ferreira=

==Involvement in OWASP==
Past "titles":
* [[Global Conferences Committee]] member
* [[Brasilia]], DF, Brazil chapter leader
* [[OWASP Portuguese Language Project]] leader
* OWASP [[AppSec Brasil 2009]] General Chair
* OWASP [[AppSec Brasil 2010]] General Chair

==How I got involved in OWASP==
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a "Secure Programming in Java" training in Portuguese and was working with some friends to organize training sessions in Brazil.

At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.

During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.

After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:

* OWASP [[Brasilia]] Chapter
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation
* Developing OWASP [[WebGoat]]-based trainings

Although I gave up all my "titles" at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.

==About me==

I don't like talking about me. Google it.

==Why Sapão==
This a long story. To make it short: it is my long time nickname (since my teen years).

I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.

User:Sapao

2012-10-22T17:41:09Z

Sapao: /* How I got involved in OWASP */

=Lucas C. Ferreira=

==Involvement in OWASP==
Current activities:
* [[Global Conferences Committee]] member
* [[Brasilia]], DF, Brazil chapter leader
* [[OWASP Portuguese Language Project]] leader

Past activities:
* OWASP [[AppSec Brasil 2009]] General Chair
* OWASP [[AppSec Brasil 2010]] General Chair

==How I got involved in OWASP==
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a "Secure Programming in Java" training in Portuguese and was working with some friends to organize training sessions in Brazil.

At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.

During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.

After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:

* OWASP [[Brasilia]] Chapter
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation
* Developing OWASP [[WebGoat]]-based trainings

Although I gave up all my "titles" at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.

==About me==

I don't like talking about me. Google it.

==Why Sapão==
This a long story. To make it short: it is my long time nickname (since my teen years).

I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.

Projects Reboot 2012

2012-06-18T14:03:09Z

Sapao:

'''Welcome the the OWASP Project Reboot Page:
'''

''What is the OWASP Project ReBoot initiative?''

OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.

The proposal for this initiative is here:

'''[https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNSUZvOWVKd1JRWnlVaGJMcjB3SEN3Zw/edit Project Re-Boot Proposal]'''

'''Project Lead''': Eoin Keary 
'''Proposal Approval Team''': Jim Manico, Rahim Jina, Tom Brennan,... 

Board Approval can be seen here:
[https://www.owasp.org/index.php/May_14,2012]

To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come: 

'''Current Submissions''' 
'''[[OWASP Application Security Guide For CISOs]]''' 
'''[[OWASP Development Guide]]''' 
'''[[OWASP Zed Attack Proxy Reboot2012|Zed Attack Proxy]]''' 
'''[[OWASP WebGoat Reboot2012|OWASP WebGoat]]''' 
'''[[OWASP Cheat Sheets]]''' 
'''[[OWASP AppSensor]]''' 
'''[[OWASP Mobile Project]]''' 
'''[[Projects_Reboot_2012/OWASP_Portuguese_Project_Proposal]]''' 
 

'''Key Dates:''' 
'''Submission closing date''': July 30th 2012 
'''First round of proposal selection''': 15 June 2012 
'''Second round of proposal selection''': 10 Aug 2012 

'''Activity types''': 

'''Type 1''': Update, rewrite & complete guides or tools. 
This "type" is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product. 

Examples: 
#"Mini" Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project. 
#Paying contributors for their time and effort. 
#Paying for user guides etc to be professionally developed (technical writing etc). 

'''Type 2''': Market, Training, Awareness, increase adoption. 
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project. 

Examples: 
#Assisting with expenses associated with marketing a project. 
#Costs facilitating OWASP project focused training and awareness events 

'''How are we going to fund this??''' 
We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative. 
[https://www.surveymonkey.com/s/OWASP-REBOOT Pledge some chapter funds here]

Donate $1.00 to help save a current or future software application [http://www.firstgiving.com/fundraiser/projectreboot/owasp-project-reboot Click Here]

The Foundation shall also support this initiative with additional funding. 
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot. 

[https://docs.google.com/a/owasp.org/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html - Chapter Funds]

'''Can I apply for this Reboot?''' 
You certainly can, assuming you are an OWASP member. 
If you feel your project is ready or has potential you can apply for the reboot programme. 

'''How does funding work?''' 
'''Type 1''': Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones. 
Milestones are agreed prior to project reboot initiation. 
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the [https://www.owasp.org/index.php/Category:Global_Projects_Committee - GPC] and also another nominated OWASP reviewer (generally an OWASP leader). 

'''Type 2''': Funding is supplied as required. Items to be funded are agreed prior to reboot initiation. 
Invoices for the required services are sent directly to the foundation for payment.

'''How do I apply?'''
Send in a proposal with the following information:

# Project name and description. Including reboot project lead and any team members.
# Re boot type (Type 1 or Type 2)
# Goals of the reboot
# Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)
# Budget required and how you shall spend it.

Want to support this initiative or learn more? Contact [mailto:eoin.keary@owasp.org Eoin Keary]

Projects Reboot 2012/OWASP Portuguese Project Proposal

2012-06-18T14:02:28Z

Sapao: Created page with "=Project Reboot Submission for OWASP Portuguese Language Project= '''Project Name:''' OWASP Portuguese Language Project '''Description:''' This project aims to coordinate an..."

=Project Reboot Submission for OWASP Portuguese Language Project=

'''Project Name:''' OWASP Portuguese Language Project

'''Description:''' This project aims to coordinate and push foward the iniciatives developed to translate OWASP materials to Portuguese.

'''Link:''' https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project

'''Reboot Project Lead:''' Márcio Machry

'''Team Members:''' Lucas Ferreira, Carlos Serrão, Magno Logan, Leandro Gomes, Tarcizio Vieira

'''Reboot type:''' Type 2

'''Goals of the reboot:'''
Promote the project to obtain volunteers to help in the translations; translate with quality the main OWASP documents and publicize them in all Portuguese Language countries; standardization of the translations in Brazil or Portugal languages

'''50% milestone:''' December 2012, conclude ASVS and Top Ten translations; identify another priority documents to translate; marketing of the project in OWASP Conferences around Brazil

'''100% milestone:''' December 2013, conclude OpenSAMM and CLASP translations; create teams with coordinators to translate new documents

'''Suggested milestone reviewers:''' OWASP Brazilian Chapters Leaders

Budget required:
* USD 2,000 – expenses with translation reviewers and experts, layout and printing of the documents
* USD 3,000 – promote awareness events, project marketing, present the project at OWASP conferences in Brazil
* Estimated Total – USD 5,000

OWASP File Hash Repository

2012-04-17T19:41:32Z

Sapao: /* If the database is free, where can I get it? */

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

== If the database is free, where can I get it? ==

The database is big and difficult to make available for download. We have however an Amazon AWS snapshot of the database disk. The snapshot ID is snap-5aacdd27 and its name is FHRDatabase.

To find the snapshot, log in the AWS console, select the EC2 tab, and select Elastic Block Store -> snapshops on the left pane. Select All snapshots on the Viewing dropbox and search for the ID or name.

The snapshot contains a Linux disk with the MySQL Database files. Mount it into your own instance and you will have access to all the files.

=Roadmap=

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

=Documentation=

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
</pre>

==Server Implementation Details==

The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library.

===EagleDNS extensions===
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.

At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.

So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.

The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]

===The FHRZoneProvider rationale===
TODO.

= Project About =

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

OWASP File Hash Repository

2012-04-17T19:39:53Z

Sapao: /* Testing the system */

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

== If the database is free, where can I get it? ==

The database is big and difficult to make available for download. We have however an Amazon AWS snapshot of the database disk. The snapshot ID is snap-5aacdd27 and its name is FHRDatabase.

To find the snapshot, log in the AWS console, select the EC2 tab, and select Elastic Block Store -> snapshops on the left pane. Select All snapshots on the Viewing dropbox and search for the ID or name.

=Roadmap=

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

=Documentation=

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
</pre>

==Server Implementation Details==

The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library.

===EagleDNS extensions===
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.

At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.

So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.

The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]

===The FHRZoneProvider rationale===
TODO.

= Project About =

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

OWASP File Hash Repository

2012-04-17T19:34:21Z

Sapao: /* Testing the system */

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

=Roadmap=

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

=Documentation=

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
</pre>

==Server Implementation Details==

The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library.

===EagleDNS extensions===
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.

At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.

So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.

The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]

===The FHRZoneProvider rationale===
TODO.

= Project About =

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

OWASP File Hash Repository

2012-04-17T19:30:16Z

Sapao:

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

====Roadmap====

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

====Documentation====

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
</pre>

==Server Implementation Details==

The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library.

===EagleDNS extensions===
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.

At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.

So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.

The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]

===The FHRZoneProvider rationale===
TODO.

= Project About =

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

OWASP Portuguese Language Project

2012-04-09T22:08:50Z

Sapao: /* SAMM */

{{Social Media Links}}
<paypal>OWASP Portuguese Language Project</paypal>

= Home =

==Projeto OWASP em Língua Portuguesa==

O objetivo desse projeto é coordenar os esforços de tradução e produção de documentos em língua portuguesa no âmbito do OWASP. Desta forma, é possível facilitar a participação e evitar duplicações de esforços na tradução dos mesmos documentos.

 

{| width="100%"
|-
! width="50%" |
! width="50%" |
|- valign="top"
|
== Quer ajudar? ==

[[Image:Asvs-waiting.JPG]]

# Inscreva-se na lista de emails do projeto
# Verifique na próxima aba a lista de traduções em andamento
# Escolha uma tradução (em andamento ou nova) e envie email para a lista contendo:
## seu nome
## tradução escolhida
# Caso seja uma nova tradução, informe também se gostaria de ter a ajuda de outros voluntários
# Mantenha a lista informada do andamento do seu esforço

|
== Resultados ==

[[Image:Asvs-satellite.jpg]]'''Documentos disponíveis'''

* [[OWASP Brasil Manifesto]]
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])

|}

=Esforcos em andamento=

==CLASP==
==Top Ten==
==Top Ten for Java EE==
==SAMM==

Precisa de voluntários para tradução e revisão.

==ASVS==

Precisa de voluntários para revisão e formatação do documento final.

=Summit 2011=

== Decisoes da Sessao de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tradução parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

=Project About=

{{:Projects/OWASP Portuguese Language Project | Project About}}

__NOTOC__ <headertabs /> 

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

OWASP Portuguese Language Project

2012-04-09T16:28:48Z

Sapao:

{{Social Media Links}}
<paypal>OWASP Portuguese Language Project</paypal>

= Home =

==Projeto OWASP em Língua Portuguesa==

O objetivo desse projeto é coordenar os esforços de tradução e produção de documentos em língua portuguesa no âmbito do OWASP. Desta forma, é possível facilitar a participação e evitar duplicações de esforços na tradução dos mesmos documentos.

 

{| width="100%"
|-
! width="50%" |
! width="50%" |
|- valign="top"
|
== Quer ajudar? ==

[[Image:Asvs-waiting.JPG]]

# Inscreva-se na lista de emails do projeto
# Verifique na próxima aba a lista de traduções em andamento
# Escolha uma tradução (em andamento ou nova) e envie email para a lista contendo:
## seu nome
## tradução escolhida
# Caso seja uma nova tradução, informe também se gostaria de ter a ajuda de outros voluntários
# Mantenha a lista informada do andamento do seu esforço

|
== Resultados ==

[[Image:Asvs-satellite.jpg]]'''Documentos disponíveis'''

* [[OWASP Brasil Manifesto]]
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])

|}

=Esforcos em andamento=

==CLASP==
==Top Ten==
==Top Ten for Java EE==
==SAMM==

=Summit 2011=

== Decisoes da Sessao de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tradução parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

=Project About=

{{:Projects/OWASP Portuguese Language Project | Project About}}

__NOTOC__ <headertabs /> 

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

OWASP Portuguese Language Project

2012-04-09T15:13:28Z

Sapao:

= Main =

== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tradução parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

==Documentos disponíveis ==

* [[OWASP Brasil Manifesto]]
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])

= Project About =

{{:Projects/OWASP Portuguese Language Project | Project About}}

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

OWASP Portuguese Language Project

2012-04-09T15:09:16Z

Sapao:

= Main =

== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tradução parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

=Documentos Disponíveis=

* [[OWASP Brasil Manifesto]]
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])

= Project About =

{{:Projects/OWASP Portuguese Language Project | Project About}}

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

OWASP Connections Committee - Application 9

2012-03-14T15:41:48Z

Sapao:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" | '''COMMITTEE APPLICATION FORM'''
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Applicant's Name'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | Luiz Eduardo Dos Santos
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Current and past OWASP Roles'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | LATAM Regional Event Coordinator, Member
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Committee Applying for'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | OWASP Connection Committee
|}

----

 

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

 

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="8" | '''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | 
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Who Recommends/Name'''
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Role in OWASP'''
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Recommendation Content'''
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''1'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Lucas C. Ferreira
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Portuguese Project Leader, Conferences Committee Member
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Luiz Eduardo is one of the best known security professionals in Brazil, has helped with the Program committee of AppSec Brasil 2011 and is very well connected to industry and academia folks around the globe.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''2'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''3'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''4'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''5'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|}

----

OWASP Connections Committee - Application 9

2012-03-14T15:23:24Z

Sapao:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" | '''COMMITTEE APPLICATION FORM'''
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Applicant's Name'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | Luiz Eduardo Dos Santos
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Current and past OWASP Roles'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | LATAM Regional Event Coordinator, Member
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Committee Applying for'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | OWASP Connection Committee
|}

----

 

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

 

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="8" | '''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | 
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Who Recommends/Name'''
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Role in OWASP'''
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Recommendation Content'''
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''1'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Lucas C. Ferreira
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Protuguese Project Leader, Conferences Committee Member
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Luiz Eduardo is one of the best known security professionals in Brazil, has helped with the Program committee of AppSec Brasil 2011 and is very well connected to industry and academia folks around the globe.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''2'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''3'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''4'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''5'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|}

----

OWASP Brasil Manifesto

2012-01-06T18:08:48Z

Sapao: /* Presentations */

= Segurança na Web: Uma janela de oportunidades=

== What is the manifesto ==
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.

The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.

== Original portuguese version ==

'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]

'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]

== Translations ==

[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.

==Presentations==

Spanish for the OWASP Latam Tour 2011: [[media: Manifesto.para.gobiernos.ppt]]

Portuguese for SegInfo 2011: Slides [[media: Seguranca_na_web.ppt]] and [http://www.videolog.tv/SegInfo/videos/739416 link video]

==Project==

This document has been included in the [[OWASP Portuguese Language Project]]

OWASP File Hash Repository

2011-11-02T23:53:37Z

Sapao: /* Database schema */

==== Main ====

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

====Roadmap====

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

====Documentation====

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
</pre>

==Server Implementation Details==

The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library.

===EagleDNS extensions===
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.

At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.

So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.

The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]

===The FHRZoneProvider rationale===
TODO.

==== Project About ====

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

Projects/OWASP File Hash Repository/Roadmap

2011-11-02T22:53:31Z

Sapao:

# have a running version of the server able to answer queries via DNS
# transform proof-of-concept code into production-ready code
# have the server query sources for unknown hashes
# implement other query interfaces (Web services, JSON, socket, etc)
# incorporate new information sources
# produce an upload interface

OWASP File Hash Repository

2011-11-02T01:44:18Z

Sapao:

==== Main ====

=FHR FAQ=

==What is FHR?==

Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file.

==Aren't there already other sources for this information? ==

Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database.

==Isn't free access to a database that contains malware dangerous?==
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger.

==Detecting malware using only hashes is not good strategy.==
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone.

==Will the FHR be integrated into antivirus systems?==
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell.

==Technically, how does the FHR work?==
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:

* DNS
* web
* web services
* JSON

The current codebase includes a DNS-based query interface.

==What data are available in the database?==

We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:

* SHA-1
* MD5
* source
* date when the system saw the hash / file for the first time (not available for the files from NIST)
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)
* size
* certainty (a percentage that indicates the degree of certainty about the status of the file).

==Testing the system==

To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
or
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.

====Roadmap====

[[Projects/OWASP_File_Hash_Repository/Roadmap]]

====Documentation====

==Database schema==

The FHR database contains a single table, called File, described below:

<pre>
mysql> show columns from File in FHR;
+-----------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------+------+-----+---------+----------------+
| idFile | int(11) | NO | PRI | NULL | auto_increment |
| SHA1 | char(40) | YES | MUL | NULL | |
| MD5 | char(32) | YES | MUL | NULL | |
| size | mediumtext | YES | | NULL | |
| source | char(10) | YES | | NULL | |
| date | date | YES | | NULL | |
| status | char(10) | NO | | NULL | |
| certainty | float | YES | | NULL | |
+-----------+------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)

</pre>

==== Project About ====

{{:Projects/OWASP File Hash Repository | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP Project]]

OWASP File Hash Repository

2011-11-02T01:36:02Z

Sapao:

OWASP File Hash Repository

2011-10-31T23:06:58Z

Sapao: /* Testing the system */

OWASP File Hash Repository

2011-10-23T21:13:18Z

Sapao:

Brasilia

2011-09-12T21:14:47Z

Sapao: /* Local News */

{{Chapter Template|chaptername=Brasilia|extra=The chapter leader is [mailto:lucas.ferreira@owasp.org Lucas Ferreira]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Brasilia|emailarchives=http://lists.owasp.org/pipermail/owasp-Brasilia}}

<paypal>Brazil</paypal>

== Local News ==

===Segundo encontro do capítulo===

O segundo encontro do Capítulo Brasília será no dia 19/9 na UnB (auditório do CIC, no módulo 18 do minhocão, subsolo). Para mais detalhes, acesse [https://www.regonline.com/owaspbsb201109].

Este encontro terá o patrocínio do [http://www.trainingtecnologia.com.br Grupo Training Tecnologia] como ''single meeting supporter''. Com isso, teremos um coffee-break para os participantes.

<center>
[[File:Logo_training_tecnologia.png‎]]
</center>

===Encontro remarcado!!!===

'''Primeiro encontro do Capítulo'''

O primeiro encontro do Capítulo Brasília será dia 9/5 na UnB. Para mais detalhes sobre o local, acesse a [http://www.regonline.com/owaspbrasiliachaptermeeting página de inscrições].

<center>
'''[http://www.regonline.com/owaspbrasiliachaptermeeting Inscreva-se] já!!'''
</center>

[[Category:OWASP Chapter]]
[[Category:Brasil]]

File:Logo training tecnologia.png

2011-09-12T21:12:42Z

Sapao:

OWASP Brasil Manifesto

2011-08-16T00:12:01Z

Sapao:

= Segurança na Web: Uma janela de oportunidades=

== What is the manifesto ==
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.

The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.

== Original portuguese version ==

'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]

'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]

== Translations ==

[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.

==Presentations==

Spanish for the OWASP Latam Tour 2011: [[media: Manifesto.para.gobiernos.ppt]]

Portuguese for SegInfo 2011: [[media: Seguranca_na_web.ppt]]

==Project==

This document has been included in the [[OWASP Portuguese Language Project]]

File:Seguranca na web.ppt

2011-08-16T00:11:31Z

Sapao:

File:Manifesto.para.gobiernos.ppt

2011-08-16T00:08:23Z

Sapao:

OWASP Brasil Manifesto

2011-07-25T15:36:06Z

Sapao: /* Translations */

= Segurança na Web: Uma janela de oportunidades=

== What is the manifesto ==
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.

The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.

== Original portuguese version ==

'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]

'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]

== Translations ==

[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.

==Project==

This document has been included in the [[OWASP Portuguese Language Project]]

OWASP Brasil Manifesto/br

2011-07-13T00:41:39Z

Sapao: /* Segurança na Web: Uma janela de oportunidades */

=The Brazilian Portuguese version of the manifesto in wiki format=

Here, we will link to a page for each of the sections of the manifesto. This version is in Portuguese.

== Segurança na Web: Uma janela de oportunidades ==

'''Uma mensagem do OWASP Brasil ao Governo Brasileiro'''

* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Sum%C3%A1rio_Executivo Sumário Executivo]
* [https://www.owasp.org/index.php?title=OWASP_Brasil_Manifesto/br/A_inseguran%E7a_na_Web A Insegurança na Web]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_Projeto_OWASP O Projeto OWASP]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#O_que_pode_ser_feito.3F O que pode ser feito?]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_legisladores Por legisladores]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Permitir_e_incentivar_pesquisas_sobre_ataques_e_defesas_cibern.C3.A9ticas Permitir e incentivar pesquisas sobre ataques e defesas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_a_publica.C3.A7.C3.A3o_de_avalia.C3.A7.C3.B5es_de_seguran.C3.A7a Requerer a publicação de avaliações de segurança]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Criar_uma_ag.C3.AAncia_para_tratar_os_aspectos_de_divulga.C3.A7.C3.A3o_de_falhas_de_seguran.C3.A7a Criar uma agência para tratar os aspectos de divulgação de falhas de segurança]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_o_cumprimento_de_requisitos_m.C3.ADnimos_de_seguran.C3.A7a_em_contratos_governamentais Exigir o cumprimento de requisitos mínimos de segurança em contratos governamentais]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Responsabilizar_organiza.C3.A7.C3.B5es_que_n.C3.A3o_tratem_com_dilig.C3.AAncia_os_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Responsabilizar organizações que não tratem com diligência os aspectos de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_a_administra.C3.A7.C3.A3o_p.C3.BAblica_tenha_acesso_.C3.A0s_atualiza.C3.A7.C3.B5es_de_seguran.C3.A7a_de_qualquer_software_durante_a_sua_vida_.C3.BAtil Exigir que a administração pública tenha acesso às atualizações de segurança de qualquer software durante a sua vida útil]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_a_abertura_do_c.C3.B3digo_fonte_de_aplicativos_utilizados_pela_administra.C3.A7.C3.A3o_p.C3.BAblica_cuja_vida_.C3.BAtil_tenha_terminado Exigir a abertura do código fonte de aplicativos utilizados pela administração pública cuja vida útil tenha terminado]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Eliminar_licen.C3.A7as_de_software_que_isentam_os_fabricantes_da_responsabilidade_com_a_seguran.C3.A7a_de_seus_produtos Eliminar licenças de software que isentam os fabricantes da responsabilidade com a segurança de seus produtos]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_defesa_do_consumidor Por órgãos de defesa do consumidor]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Atuar_para_restringir_o_uso_de_licen.C3.A7as_de_software_abusivas Atuar para restringir o uso de licenças de software abusivas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_os_fabricantes_divulguem_informa.C3.A7.C3.B5es_intelig.C3.ADveis_sobre_o_n.C3.ADvel_de_seguran.C3.A7a_de_seus_produtos_e.2Fou_servi.C3.A7os Exigir que os fabricantes divulguem informações inteligíveis sobre o nível de segurança de seus produtos ou serviços]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_um_n.C3.ADvel_adequado_de_seguran.C3.A7a_de_sistemas_que_lidem_com_dados_que_possam_afetar_a_privacidade_dos_consumidores_ou_cidad.C3.A3os Exigir um nível adequado de segurança de sistemas que lidem com dados que possam afetar a privacidade dos consumidores ou cidadãos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_que_os_consumidores_devem_ser_informados_dos_poss.C3.ADveis_usos_dos_dados_inseridos_em_sistemas_ou_sites Definir que os consumidores devem ser informados dos possíveis usos dos dados inseridos em sistemas ou sites]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Estabelecer_campanhas_de_conscientiza.C3.A7.C3.A3o_de_seguran.C3.A7a_para_os_consumidores Estabelecer campanhas de conscientização de segurança para os consumidores]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_controle Por órgãos de controle]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_claramente_as_responsabilidades_com_rela.C3.A7.C3.A3o_aos_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Definir claramente as responsabilidades com relação aos aspectos de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Verificar_e_auditar_para_garantir_que_pr.C3.A1ticas_adequadas_de_seguran.C3.A7a_s.C3.A3o_adotadas Verificar e auditar para garantir que práticas adequadas de segurança são adotadas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Facilitar_a_cria.C3.A7.C3.A3o_de_um_mercado_de_seguros_para_a_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Facilitar a criação de um mercado de seguros para a segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_o_uso_de_conex.C3.B5es_criptografadas_.28SSL.29_para_aplica.C3.A7.C3.B5es_web Requerer o uso de conexões criptografadas (SSL) para aplicações web]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_ensino_e_pesquisa Por órgãos de ensino e pesquisa]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Inclus.C3.A3o_das_boas_pr.C3.A1ticas_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es_no_conte.C3.BAdo_dos_cursos Inclusão de práticas de segurança de aplicações no conteúdo dos cursos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Defini.C3.A7.C3.A3o_de_cursos_avan.C3.A7ados_para_forma.C3.A7.C3.A3o_de_m.C3.A3o-de-obra_na_.C3.A1rea Definição de cursos avançados para formação de mão-de-obra na área]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Fomentar_e_financiar_pesquisas_sobre_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Fomentar e financiar pesquisas sobre segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_a_forma.C3.A7.C3.A3o_de_profissionais_capazes_de_atuar_com_.C3.A9tica_e_responsabilidade Promover a formação de profissionais capazes de atuar com ética e responsabilidade]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_todos_os_.C3.B3rg.C3.A3os_p.C3.BAblicos Por todos os órgãos públicos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Financiar_valida.C3.A7.C3.B5es_e_corre.C3.A7.C3.B5es_de_seguran.C3.A7a_para_sistemas_de_c.C3.B3digo_aberto Financiar validações e correções de segurança para sistemas de código aberto]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_o_uso_de_tecnologias_e_metodologias_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Promover o uso de tecnologias e metodologias de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_e_permitir_testes_de_seguran.C3.A7a_de_forma_respons.C3.A1vel_mas_aberta Promover e permitir testes de segurança de forma responsável mas aberta]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_treinamento_e_conscientiza.C3.A7.C3.A3o_dos_gestores_para_os_desafios_da_seguran.C3.A7a_na_web Promover treinamento e conscientização dos gestores para os desafios da segurança na web]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Vantagens_competitivas_para_o_Brasil Vantagens competitivas para o Brasil]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Como_o_OWASP_pode_ajudar Como o OWASP pode ajudar?]
* [https://www.owasp.org/index.php/Category:Brasil Contatos]

OWASP Brasil Manifesto/br

2011-07-13T00:41:04Z

Sapao: /* Segurança na Web: Uma janela de oportunidades */

=The Brazilian Portuguese version of the manifesto in wiki format=

Here, we will link to a page for each of the sections of the manifesto. This version is in Portuguese.

== Segurança na Web: Uma janela de oportunidades ==

'''Uma mensagem do OWASP Brasil ao Governo Brasileiro'''

* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Sum%C3%A1rio_Executivo Sumário Executivo]
* [https://www.owasp.org/index.php?title=OWASP_Brasil_Manifesto/br/A_inseguran%E7a_na_Web A Insegurança na Web]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_Projeto_OWASP O Projeto OWASP]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#O_que_pode_ser_feito.3F O que pode ser feito?]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_legisladores Por legisladores]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Permitir_e_incentivar_pesquisas_sobre_ataques_e_defesas_cibern.C3.A9ticas Permitir e incentivar pesquisas sobre ataques e defesas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_a_publica.C3.A7.C3.A3o_de_avalia.C3.A7.C3.B5es_de_seguran.C3.A7a Requerer a publicação de avaliações de segurança]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Criar_uma_ag.C3.AAncia_para_tratar_os_aspectos_de_divulga.C3.A7.C3.A3o_de_falhas_de_seguran.C3.A7a Criar uma agência para tratar os aspectos de divulgação de flahas de segurança]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_o_cumprimento_de_requisitos_m.C3.ADnimos_de_seguran.C3.A7a_em_contratos_governamentais Exigir o cumprimento de requisitos mínimos de segurança em contratos governamentais]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Responsabilizar_organiza.C3.A7.C3.B5es_que_n.C3.A3o_tratem_com_dilig.C3.AAncia_os_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Responsabilizar organizações que não tratem com diligência os aspectos de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_a_administra.C3.A7.C3.A3o_p.C3.BAblica_tenha_acesso_.C3.A0s_atualiza.C3.A7.C3.B5es_de_seguran.C3.A7a_de_qualquer_software_durante_a_sua_vida_.C3.BAtil Exigir que a administração pública tenha acesso às atualizações de segurança de qualquer software durante a sua vida útil]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_a_abertura_do_c.C3.B3digo_fonte_de_aplicativos_utilizados_pela_administra.C3.A7.C3.A3o_p.C3.BAblica_cuja_vida_.C3.BAtil_tenha_terminado Exigir a abertura do código fonte de aplicativos utilizados pela administração pública cuja vida útil tenha terminado]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Eliminar_licen.C3.A7as_de_software_que_isentam_os_fabricantes_da_responsabilidade_com_a_seguran.C3.A7a_de_seus_produtos Eliminar licenças de software que isentam os fabricantes da responsabilidade com a segurança de seus produtos]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_defesa_do_consumidor Por órgãos de defesa do consumidor]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Atuar_para_restringir_o_uso_de_licen.C3.A7as_de_software_abusivas Atuar para restringir o uso de licenças de software abusivas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_os_fabricantes_divulguem_informa.C3.A7.C3.B5es_intelig.C3.ADveis_sobre_o_n.C3.ADvel_de_seguran.C3.A7a_de_seus_produtos_e.2Fou_servi.C3.A7os Exigir que os fabricantes divulguem informações inteligíveis sobre o nível de segurança de seus produtos ou serviços]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_um_n.C3.ADvel_adequado_de_seguran.C3.A7a_de_sistemas_que_lidem_com_dados_que_possam_afetar_a_privacidade_dos_consumidores_ou_cidad.C3.A3os Exigir um nível adequado de segurança de sistemas que lidem com dados que possam afetar a privacidade dos consumidores ou cidadãos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_que_os_consumidores_devem_ser_informados_dos_poss.C3.ADveis_usos_dos_dados_inseridos_em_sistemas_ou_sites Definir que os consumidores devem ser informados dos possíveis usos dos dados inseridos em sistemas ou sites]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Estabelecer_campanhas_de_conscientiza.C3.A7.C3.A3o_de_seguran.C3.A7a_para_os_consumidores Estabelecer campanhas de conscientização de segurança para os consumidores]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_controle Por órgãos de controle]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_claramente_as_responsabilidades_com_rela.C3.A7.C3.A3o_aos_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Definir claramente as responsabilidades com relação aos aspectos de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Verificar_e_auditar_para_garantir_que_pr.C3.A1ticas_adequadas_de_seguran.C3.A7a_s.C3.A3o_adotadas Verificar e auditar para garantir que práticas adequadas de segurança são adotadas]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Facilitar_a_cria.C3.A7.C3.A3o_de_um_mercado_de_seguros_para_a_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Facilitar a criação de um mercado de seguros para a segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_o_uso_de_conex.C3.B5es_criptografadas_.28SSL.29_para_aplica.C3.A7.C3.B5es_web Requerer o uso de conexões criptografadas (SSL) para aplicações web]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_ensino_e_pesquisa Por órgãos de ensino e pesquisa]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Inclus.C3.A3o_das_boas_pr.C3.A1ticas_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es_no_conte.C3.BAdo_dos_cursos Inclusão de práticas de segurança de aplicações no conteúdo dos cursos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Defini.C3.A7.C3.A3o_de_cursos_avan.C3.A7ados_para_forma.C3.A7.C3.A3o_de_m.C3.A3o-de-obra_na_.C3.A1rea Definição de cursos avançados para formação de mão-de-obra na área]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Fomentar_e_financiar_pesquisas_sobre_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Fomentar e financiar pesquisas sobre segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_a_forma.C3.A7.C3.A3o_de_profissionais_capazes_de_atuar_com_.C3.A9tica_e_responsabilidade Promover a formação de profissionais capazes de atuar com ética e responsabilidade]
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_todos_os_.C3.B3rg.C3.A3os_p.C3.BAblicos Por todos os órgãos públicos]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Financiar_valida.C3.A7.C3.B5es_e_corre.C3.A7.C3.B5es_de_seguran.C3.A7a_para_sistemas_de_c.C3.B3digo_aberto Financiar validações e correções de segurança para sistemas de código aberto]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_o_uso_de_tecnologias_e_metodologias_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Promover o uso de tecnologias e metodologias de segurança de aplicações]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_e_permitir_testes_de_seguran.C3.A7a_de_forma_respons.C3.A1vel_mas_aberta Promover e permitir testes de segurança de forma responsável mas aberta]
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_treinamento_e_conscientiza.C3.A7.C3.A3o_dos_gestores_para_os_desafios_da_seguran.C3.A7a_na_web Promover treinamento e conscientização dos gestores para os desafios da segurança na web]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Vantagens_competitivas_para_o_Brasil Vantagens competitivas para o Brasil]
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Como_o_OWASP_pode_ajudar Como o OWASP pode ajudar?]
* [https://www.owasp.org/index.php/Category:Brasil Contatos]

OWASP Portuguese Language Project

2011-07-02T14:15:07Z

Sapao:

==== Main ====

== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a liguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a lígua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tarduação parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esfoço deve ser coordando para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a susbstituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tardução será devidida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documeneto completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

====Documentos Disponíveis====

* [[OWASP Brasil Manifesto]]
* [[Media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]

==== Project About ====

{{:Projects/OWASP Portuguese Language Project | Project About}}

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

OWASP Portuguese Language Project

2011-07-02T14:14:38Z

Sapao:

==== Main ====

== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==

=== Uniformização ===

será necessário um esforço para uniformizar a liguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a lígua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas.

=== Definição de prioridades ===

dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução:

*Top 10
*OpenSAMM (já existe uma tarduação parcial)
*Apresentações sobre o que é e como funciona o OWASP

Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão:

*OWASP Quick Reference
*ASVS

=== Coordenação ===

o esfoço deve ser coordando para ser efetivo. O grupo deliberou o seguinte método de trabalho:

*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a susbstituição de tradutores, quando necessário.
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.

=== Processo ===

O macroprocesso de tradução ficou definido como:

#cada tardução será devidida em nacos, que podem ser páginas, capítulos, partes, etc.
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor
#o documeneto completo dever ser novamente revisado, com o objetivo de uniformização do discurso. 

====Documentos Disponíveis====

[[OWASP Brasil Manifesto]]
[[Media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]

==== Project About ====

{{:Projects/OWASP Portuguese Language Project | Project About}}

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]

Category:Brasil

2011-07-02T14:13:41Z

Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */

This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.

===Documentos Publicados em Português (Portuguese Language Documents)===

* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]
* [[media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]
* [[media:Seguranca na web - uma janela de oportunidades.pdf]]

[[Category:South America]]
[[Category:Latin America]]

Category:Brasil

2011-07-02T14:13:22Z

Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */

This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.

===Documentos Publicados em Português (Portuguese Language Documents)===

* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]
* [[OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]
* [[media: Seguranca na web - uma janela de oportunidades.pdf]]

[[Category:South America]]
[[Category:Latin America]]

Category:Brasil

2011-07-02T14:13:05Z

Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */

This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.

===Documentos Publicados em Português (Portuguese Language Documents)===

* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]
* [[OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]
* [[media: Seguranca na web - uma janela de oportunidades.pdf]]

[[Category:South America]]
[[Category:Latin America]]

File:OWASP SCP Quick Reference PT-BR v1.2.pdf

2011-07-02T14:11:27Z

Sapao:

OWASP Brasil Manifesto/en

2011-06-24T17:48:13Z

Sapao: /* How can OWASP help? */

=Web Security - A Window of Opportunity=
'''A white paper from OWASP to Governments'''

==Executive Summary==
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.

Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.

==The Open Web Application Security Project==

OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.

OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are free to use and distribute.

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is not the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of security assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.

====Make organizations which are not diligent about software security accountable====

Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate security practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.

Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course content====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.

==Competitive advantages for the country==

The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.

The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary.

OWASP Brasil Manifesto/en

2011-06-24T17:47:01Z

Sapao: /* Allow and encourage research on cyber attacks and defenses */

OWASP Brasil Manifesto/en

2011-06-24T17:44:53Z

Sapao: /* The Open Web Application Security Project */

=Web Security - A Window of Opportunity=
'''A white paper from OWASP to Governments'''

==Executive Summary==
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.

Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.

==The Open Web Application Security Project==

OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.

OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are free to use and distribute.

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of security assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.

====Make organizations which are not diligent about software security accountable====

Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate security practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.

Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course content====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.

==Competitive advantages for the country==

The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.

The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.

OWASP Brasil Manifesto/en

2011-06-24T17:42:29Z

Sapao: /* Web Insecurity */

=Web Security - A Window of Opportunity=
'''A white paper from OWASP to Governments'''

==Executive Summary==
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.

Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.

==The Open Web Application Security Project==

OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.

OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of security assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.

====Make organizations which are not diligent about software security accountable====

Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate security practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.

Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course content====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.

==Competitive advantages for the country==

The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.

The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.

OWASP Brasil Manifesto/en

2011-06-24T17:32:47Z

Sapao: /* Executive Summary */

=Web Security - A Window of Opportunity=
'''A white paper from OWASP to Governments'''

==Executive Summary==
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.

Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.

==The Open Web Application Security Project==

OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.

OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of security assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.

====Make organizations which are not diligent about software security accountable====

Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate security practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.

Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course content====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.

==Competitive advantages for the country==

The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.

The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.

OWASP Brasil Manifesto/en

2011-06-24T17:30:10Z

Sapao: /* Web Security - A Window of Opportunity */

=Web Security - A Window of Opportunity=
'''A white paper from OWASP to Governments'''

==Executive Summary==
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Brazilian Internet and related software applications.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

Brazilian experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.

Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the Internet using a computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.

==The Open Web Application Security Project==

OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security.

OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of security assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.

====Make organizations which are not diligent about software security accountable====

Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate security practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.

Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course content====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.

==Competitive advantages for the country==

The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.

The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.

OWASP Brasil Manifesto/en

2011-06-20T01:04:52Z

Sapao: /* Web Insecurity */

=Web Security - A Window of Opportunity=
'''An open letter from OWASP Brazil to the Brazilian Government'''

==Executive Summary==
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.

==Web Insecurity==

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% for North america and 350%.

The Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of e-gov, or electronic government, strategies which consist in providing services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet is also included in and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in parts of the network. However, this infrastructure depends on a number of computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the Worldwide Network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of the network users.

Flaws in Internet security are common and make the news almost daily. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud against sites and systems exist and can cause damage to society.

The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of well known web sites and networks such as Sony's playstation network.

CERT/CC, the Computer Emergency Response Team, coordinates response to internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007.

add local statistics here.

The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.

==The OWASP Project==

The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security.

OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of safety assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.

====Make organizations which are not diligent about software security accountable====

Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate safety practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.

Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course contents====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard.

==Competitive advantages for the country==

The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.

The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.

OWASP Brasil Manifesto/en

2011-06-19T18:16:05Z

Sapao: /* Web Insecurity */

=Web Security - A Window of Opportunity=
'''An open letter from OWASP Brazil to the Brazilian Government'''

==Executive Summary==
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.

In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.

The recommendations are divided according to the focus of each agency:
* legislators
* consumer protection bodies
* control and audit bodies
* teaching and research institutions
* all public bodies

The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.

Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.

==Web Insecurity==

This section is highly dependent of the local reality and should be adapted for each geographic region.
The text below shows an example written for the Brazilian reality.

The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% for North america and 350%.

The Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to "always connected" users, accessing the computer or cell phone when and wherever they are.

Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.

Also, governments have invested in the use of e-gov, or electronic government, strategies which consist in providing services to the population via the Internet.

add e-gov examples here.

If seen as a communications tool, the Internet is also included in and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.

cont. here

Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network.

As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that "Code is law", ie, the software is the law that governs the Internet. As a result, the "laws" governing the Internet are flawed and these flaws can cause problems for the security of users of the network.

Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population.

The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).

CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years.

The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.

Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.

==The OWASP Project==

The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.

OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security.

OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner.

The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].

OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.

==What can we do?==

Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.

We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.

===By legislators===

The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.

Some suggested actions are:

====Allow and encourage research on cyber attacks and defenses====

Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities.

We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.

====Require the publication of safety assessments====

Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.

As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.

====Create an agency to address the aspects of disclosure of security flaws====

With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.

====Require compliance with minimum security requirements in government contracts====

The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.

====Make organizations which are not diligent about software security accountable====

Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.

====Require that the government have access to security updates for all software during its lifetime====

It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.

====Require open sourcing of applications used by the government and whose lifetime has expired====

It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.

It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.

====Eliminate software licenses which exempt manufacturers from liability for the security of their products====

Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.

To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.

===For consumer protection agencies===

Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.

We suggest the following actions:

====Act to restrict the use of abusive software licenses ====

This action is similar and complementary to the item "Eliminate software licenses which exempt manufacturers from liability for the security of their products, " described above.

====Require manufacturers to disclose understandable information on the security level of their products or services====

As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.

It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.

In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.

====Require an adequate level of security for systems that deal with private data====

Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.

Some places already have legislation on data leaks and this item may unnecessary.

====Define that consumers should be informed of all possible uses of data provided to systems or sites====

Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.

Some places already have legislation about this issue and this item may be unnecessary.

====Establish software security awareness campaigns for consumers====

In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.

Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.

===For oversight agencies===

Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:

====Define clear responsibilities about application security====

Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.

====Verify and audit to ensure that appropriate safety practices are adopted====

Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.

There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).

====Insert the security aspects of applications in regulations or recommendations====

Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.

====Facilitate the creation of an insurance market for security applications====

As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.

An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.

====Requiring the use of encrypted connections (SSL) for web applications====

Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.

Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.

===For research and teaching institutions===

Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.

The suggested actions for education and research institutions are:

====Inclusion of application security best practices in course contents====

It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.

Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.

====Creation of advanced courses in the field====

Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.

====To promote and fund application security research====

Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.

The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.

====To promote the training of professionals capable of acting with ethics and responsibility====

The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.

===For all public bodies===

Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.

The suggested actions for all public organizations are:

====Financing validations and security fixes for open source systems====

Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.

Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.

====Promote the use of application security technologies and methodologies====

Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.

It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.

====Promote and enable security testing responsibly but openly====

Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.

We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.

====Promote awareness and training of managers about the challenges of web security====

All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard.

==Competitive advantages for the country==

The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.

Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.

The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability.

The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.

==How can OWASP help?==

OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.

The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.

The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.