This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Security Labeling System Project"

From OWASP

Jump to: navigation, search

Latest revision as of 10:28, 3 June 2019

Main
Labeling clauses
FAQs
Acknowledgements
Road Map and Getting Involved
DEMO (Web Apps)
Project About

PURPOSE

Making security VISIBLE for everybody.

WHAT IS IT?

It is system of security labels for web applications.

HOW DOES IT WORK?

There are 4 labels:

* Security (S). Security starts with SECURE CODING, and secure maintenance. This label is based on the OWASP Application Security Verification Standard(ASVS). Web applications will get a rating based on the Applications Security Verification levels on the AVSV standard(cursory, standard, opportunistic, and advanced).

* Privacy (P). Security is also about TRUST. Technical security is not relevant if Software comes with hidden backdoors, and non-transparent policies. This label will require a Privacy scanning policy that may be based on the OWASP Top Ten Privacy project. Web applications must follow ethical principles of data processing and data protection.

* Ingredients (I). Security is also about TRANSPARENCY. This condition is only possible through the use of Open Source Software. Contemporary Software is built(and linked) by many components such as shared libraries, APIs, and so on. This label is about Web Applications exposing all their ingredients, including third party code and dependencies.

* Openness (O). Security might also be OPEN. Open security means having a fast and reliable IT security team. This label consists on a scanning policy based on the OWASP Top Ten project, and making the scan visible.

IMPLEMENTATION

Due to the complexity of the tasks, the Labels will be implemented 1 by 1. The first Label to be implemented is the OPENNESS LABEL. We will start with this experimental implementation in June - 2015. In the mean time we need open security promoters, to get submitted into the project's records.

The System provides 4 logos and 4 clauses(1 for each label). The clauses can be added before the copyright public licenses as a "license exception", or included in the warranty clause(or any other) in custom copyright licenses, license contracts, terms of services, or even privacy policies.

STEP 1: Get Registered into the OWASP Security Labeling system Site.

STEP 2: Download the label-logo(s) and paste before your copyright license, license contract, terms of service, or privacy policy.

STEP 3: Incorporate the correspondent label-clause(s) in a visible place within your Web application, copyright license, license contract,terms of service,or privacy policy.

COMPROMISES

- Between DEVELOPER and the OWASP SECURITY LABELING PROJECT. By including the Labeling-logos, the Developer gets the compromise of following the OWASP labeling system requirements.

- Between DEVELOPER and USERS. By incorporating the Labeling-Clauses, Web service providers assume a direct compromise with their users.

- Between OWASP SECURITY LABELING PROJECT and USERS. Users can report violations of the labeling system to the OWASP labeling project Volunteers.

PRESENTATION

http://owaspsecuritylabelingsystem.blogspot.com/ http://www.slideshare.net/luisenriquezA/owaspsecuritylabelingsystem

MOTIVATION

After joining the OWASP community in my local chapter, I got the idea of a security labeling system. When I contacted Jeff Williams I found out that he already proposed a very similar idea few years ago. We think we can revive it. The OWASP international community has the purpose of making security visible, and opinions from different sides are crucial in order to create a practical and widely used labeling system.

NEWS AND EVENTS

The proposal of this project has been relaunched. We are examining with a new team the possibilities of a joint venture for complying the new legal regulations such as GDPR in the summer of 2019.

YOU ARE ALL INVITED TO JOIN THIS SECURITY PROJECT.

PROJECT LEADER

Luis Enriquez

LICENSING

The OWASP Security Labeling System Project is free to use. All documentation is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

RELATED PROJECTS

CLASSIFICATIONS

/*Add these clauses on your web applications in a visible place. You could also add them into your license contracts, terms of services or privacy policies. If your software is licensed under the terms of a generic-purpose FOSS public license(such as the GPL license, the Apache license, the Mozilla license, and so on...),you might add these clauses before the license terms as a license exception, or as additional terms.*/

OWASP SECURITY LABELING SYSTEM. This Web Application is labeled under the OWASP security labeling system with the purpose of making security VISIBLE for everybody. THIS IS A SECURITY COMPROMISE BETWEEN THE ADMINISTRATOR of this Web Application, and the end users. This system is only based on trust and reputation. OWASP denies any liability, or damage claims of any kind.

Security Label

SECURITY LABEL CLAUSE: Security starts with secure coding and mantainance. This Web application is following the security guidelines of the OWASP Application Security Verification Standard. Reports can be downloaded "here".

Privacy Label

PRIVACY LABEL CLAUSE: Security is about Trust. This Web application uses a scan policy based on the OWASP top ten Privacy project. Reports can be downloaded here.

Ingredients Label

INGREDIENTS LABEL CLAUSE: Security is about Transparency. This Web application discloses a list of all its components and third party code, including source code, plug-ins, shared libraries. Reports can be downloaded here.

Openness Label

OPENNESS LABEL CLAUSE: Security is about Transparency. This Web application is regularly scanned by a policy based on the OWASP top ten project. Reports can be downloaded here.

THIS COMPROMISE IS VALID AS LONG AS THE WEB APPLICATION IS REGISTERED INTO THE OWASP SECURITY LABELING SYSTEM RECORDS.

Why creating a security labeling system is important?

Making security more visible.

Is a transnational and market wise solution.

It is based on trust and reputation.

Visual, and easy to apply.

Different labeling categories for different purposes.

Which security labels can I add to my Software?

Security label (S).

Privacy label (P).

Ingredients label (I).

Openness label (O).

What is the Security label (S) about?

Web Applications must be developed and maintained with a security orientation.

Why is the Security label (S) relevant?

Users have the right to know if web applications are secure enough. This is the main purpose of OWASP. Currently we propose using the AVSV standard as it provides a basis for testing web application technical security controls.

What is the Privacy label (P) about?

Surveillance code, misuse of personal data, and non-transparent policies are as dangerous as code vulnerabilities.

Why is the Privacy label relevant?

Users have the right to know how their information is processed and stored. We propose developing a privacy scan policy based on the OWASP Top Ten Privacy Project.

What is the Ingredients label (I) about?

Is about exposing all the components of your software, such as API's, and shared libraries.

Why is the Ingredients label (I) relevant?

Because it will help developers and users to identify properly third party code, evaluate the risks of using it,

avoid non intentional license compatibility controversies, and so forth.

What is the Openness label (O) about?

It is dedicated to rate security. Web Applications will expose their vulnerabilities of the

last vulnerability scan the public. They will have the time to patch them until the next vulnerabilities scan.

The scans should be fixed in a regular basis(e.g. each week).

Why is the Openness label (O) relevant?

Vulnerabilities such as XSS scripting and SQL injection must be efficiently fixed.

Scan policies must be based on the OWASP Top ten Project.

Volunteers

The OWASP Security Labeling System is developed by a worldwide team of volunteers. The primary contributors to date have been:

Luis Enriquez (Copyright & IT Lawyer)
Jeff Williams (Computer Security Expert)

The priorities of the OWASP Security Labeling System are:

(1) Create and Distribute opinion polls to different sides involved in the IT environment(such as software developers, e-commerce agents, IT security firms, Cyber communities, Internet rights NGOs, lawyers, and of course, users).

(2) Create the most suitable methodology for the security labeling system. At this point seems that the best methodology is to create a logo and a declaration. The logo must be visible within the web application, and linked to the declaration and reports stored on the OWASP security labeling system records. The declaration may also be included within the web application, or as part of IT contracts, copyright licenses(additional terms for public licenses), terms of service, or privacy policies.

(3) Create a secure server in order to generate genuine certificates for the labeled web applications. WE ARE HERE

(4) Evaluate the labeling system with a voluntary Application on the Internet. This application will be promoted as the first Labeled application. We would start with the OPENNESS LABEL If the results are good enough, we will add the other labels.

(4) Open the labeling system for any Application The OWASP labeling system volunteers will contribute to check that the system is working properly. The labels can always be removed.

Involvement in the development and promotion of the OWASP Security Labeling System is actively encouraged! You do not have to be a security or legal expert in order to contribute. Some of the ways you can help:

Get into the testing program.
Improve the system.
Translate the documents to other languages.
Improve this wiki.

/*This example shows how to apply the OWASP Security Labeling system clauses into your Web Site's TERMS AND CONDITIONS. They should be placed inside an OWASP Security Labeling System section. The labeling logos could be placed in your anywhere as long as they remain visible. (as in the front page of this Website, as widget). This Web Site uses 3 labels: Security, Privacy, and Openness */

/*FIRST: The logos could be placed in the front page of the website: */

/*SECOND: Add the OWASP Security Labeling System clause to your Terms and Conditions: */

Please read carefully the following terms and conditions before registering and using this WebSite:

1. OWASP SECURITY LABELING SYSTEM. This Web Application is labeled under the OWASP security labeling system with the purpose of making security VISIBLE for everybody. THIS IS A SECURITY COMPROMISE BETWEEN THE ADMINISTRATOR of this Web Application, and the end users. This system is only based on trust and reputation. OWASP denies any liability, or damage claims of any kind.

SECURITY LABEL CLAUSE: Security starts with secure coding and maintainance. This Web application is following the security guidelines of the OWASP Application Security Verification Standard. Reports can be downloaded "here".

PRIVACY LABEL CLAUSE: Security is about Trust. This Web application uses a scan policy based on the OWASP top ten Privacy project. Reports can be downloaded here.

OPENNESS LABEL CLAUSE: Security is about Transparency. This Web application is regularly scanned by a policy based on the OWASP top ten project. Reports can be downloaded here.

THIS COMPROMISE IS VALID AS LONG AS THIS WEB APPLICATION IS REGISTERED INTO THE OWASP SECURITY LABELING SYSTEM RECORDS.

2.LIABILITY:/*(from here, clauses are not important)*/ - By signing this agreement, the user assumes complete responsibility over their own uploaded content, including posts, comments, and forums. The FOSS lawyers Institute denies any liability and damages of any kind, concerning contents uploaded by the users.

3.INTELLECTUAL PROPERTY: - The contents published in this website are licensed by default using the CC by NC license. User's cannot publish works violating the copyrights of others. Such contents will be deleted.

4. TERMINATION: - You can always close your account in this website. We also reserve the right of closing user's accounts if they infringe the terms and conditions of this website.

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: OWASP Security Labeling System Project
Purpose: Creating a security labeling system for software and web applications This labeling system would be based in different criteria It concerns technical and legal security The former idea was proposed by jeff Williams years ago
License: Creative Commons Share Alike 3.0
who	is working on this project?
Project Leader(s): Luis Enriquez @
how	can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
Contact Luis Enriquez @ to contribute to this project Contact Luis Enriquez @ to review or sponsor this project

current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Security_Labeling_System_Project&oldid=252054"

Categories:

Difference between revisions of "OWASP Security Labeling System Project"

Latest revision as of 10:28, 3 June 2019

PURPOSE

WHAT IS IT?

HOW DOES IT WORK?

IMPLEMENTATION

COMPROMISES

PRESENTATION

MOTIVATION

NEWS AND EVENTS

PROJECT LEADER

LICENSING

RELATED PROJECTS

CLASSIFICATIONS

Security Label

Privacy Label

Ingredients Label

Openness Label

Volunteers

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 1: / Line 1: @@
-"(1)  STAGE ONE: Determine the reasons to create the labeling system(you could add more, or send your comments about these reasons):
-- Security is invisible.  We cannot know if software is 'good enough' in terms of security. The user ( and  also the developer who uses  shared libraries, or  creates derived works) have technical and legal impediments in order to know about vulnerabilities and code bugs.  The security labels will make security visible.
+=Main=
-- In security there is not perfect, just â€œgood enoughâ€.  We know that  software flaws and Vulnerabilities  will always exist.  But the label system could at least certify that certain application is  following basic security practices.
+<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_security_labeling_system2.png|link=]]</div>
-- Liability does not solve the problem.  Legal liability is not an alternative (unless the power of negotiation of the user is huge). All developers will always avoid including liability clauses in contracts.  Furthermore, it does not incentive development, and it is more likely that developers hide vulnerabilities instead of sharing them. A labeling system is the alternative.
+{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
-- We need transnational solutions.   There are many jurisdictions, and applicable laws around the planet. The labeling system has to be transnational, so it can be easily applied.
+== PURPOSE ==
+Making security VISIBLE for everybody.
-- We need an attractive and easy going label system. This is the key.  Users will benefit because they want security, and to know what components are they getting within a software. Developers will benefit because OWASP labeled software would be preferred by users in terms of security.
-(2) STAGE TWO: Choose the Sources for the labeling system:
+== WHAT IS IT?==
+:It is system of security labels for web applications.
--  Follow OWASP Top Ten.  The Top Ten project has been widely recognized,  and many developers are following it. If they applied it in their business, they can easily share their reports (through a confidence agreement if required) to the OWASP board. This interaction benefits both sides. It is a good basic departure point for the labeling system.
+== HOW DOES IT WORK?==
+:There are 4 labels:
--  Use of secure control programming interfaces.  We could use the OWASP Enterprise security APIs project.  The use of these interfaces could become another source for the labeling system. However, it would be crucial to finish the development of important ESAPIs for most popular environments, specially PHP.
+'''* Security (S).'''  Security starts with SECURE CODING, and secure maintenance. This label is based on the OWASP Application Security Verification Standard(ASVS). Web applications will get a rating based on the Applications Security Verification levels on the AVSV standard(cursory, standard, opportunistic, and advanced).
+'''* Privacy (P).'''  Security is also about TRUST. Technical security is not relevant if Software comes with hidden backdoors, and non-transparent policies. This label will require a Privacy scanning policy that may be based on the OWASP Top Ten Privacy project. Web applications must follow ethical principles of data processing and data protection.
+'''* Ingredients (I).'''  Security is also about TRANSPARENCY. This condition is only possible through the use of Open Source Software. Contemporary Software is built(and linked) by many components such as shared libraries, APIs, and so on. This label is about Web Applications exposing all their ingredients, including third party code and dependencies.
+'''* Openness (O).'''  Security might also be OPEN. Open security means having a fast and reliable IT security team. This label consists on a scanning policy based on the OWASP Top Ten project, and making the scan visible.
+| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |
+== IMPLEMENTATION==
+Due to the complexity of the tasks, the Labels will be implemented 1 by 1. The first Label to be implemented is the OPENNESS LABEL. We will start with this experimental implementation in June - 2015. In the mean time we need open security promoters, to get submitted into the project's records.
+The System provides 4 logos and 4 clauses(1 for each label). The clauses can be added before the copyright public licenses as a "license exception", or included in the warranty clause(or any other) in custom copyright licenses, license contracts, terms of services, or even privacy policies.
+STEP 1: Get Registered into the OWASP Security Labeling system Site.
+STEP 2: Download the label-logo(s) and paste before your copyright license, license contract, terms of service, or privacy policy.
+STEP 3: Incorporate the correspondent label-clause(s) in a visible place within your Web application, copyright license, license contract,terms of service,or privacy policy.
+== COMPROMISES ==
+- Between DEVELOPER and the OWASP SECURITY LABELING PROJECT. By including the Labeling-logos, the Developer gets the compromise of following the OWASP labeling system requirements.
+- Between DEVELOPER and USERS. By incorporating the Labeling-Clauses, Web service providers assume a direct compromise with their users.
+- Between OWASP SECURITY LABELING PROJECT and USERS. Users can report violations of the labeling system to the OWASP labeling project Volunteers.
+== PRESENTATION ==
+http://owaspsecuritylabelingsystem.blogspot.com/
+http://www.slideshare.net/luisenriquezA/owaspsecuritylabelingsystem
+== MOTIVATION ==
+After joining the OWASP community in my local chapter, I got the idea of a security labeling system. When I contacted Jeff Williams I found out that he already proposed a very similar idea few years ago. We think we can revive it. The OWASP international community has the purpose of  making security visible, and opinions from different sides are crucial in order to create a practical and widely used labeling system.
+| style="padding-left:25px;width:200px;" valign="top" |
+== NEWS AND EVENTS ==
+* The proposal of this project has been relaunched. We are examining with a new team the possibilities of a joint venture for complying the new legal regulations such as GDPR in the summer of 2019.
+'''YOU ARE ALL INVITED TO JOIN THIS SECURITY PROJECT'''.
+== PROJECT LEADER ==
+Luis Enriquez
+==LICENSING==
+The OWASP Security Labeling System Project is free to use. All documentation is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+== RELATED PROJECTS ==
+* [[OWASP_Legal_Project]]
+* [[OWASP_CISO_Survey]]
+==CLASSIFICATIONS==
+   {| width="200" cellpadding="2"
+   |-
+   | rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+   | width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
+   |-
+   | width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
+   |-
+   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+   |-
+   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
+   |}
+|}
+= Labeling clauses =
+''/*Add these clauses on your web applications in a visible place. You could also add them into your license contracts, terms of services or privacy policies. If your software is licensed under the terms of a generic-purpose FOSS public license(such as the GPL license, the Apache license, the Mozilla license, and so on...),you might add these clauses before the license terms as a license exception, or as additional terms.*/''
+----
+OWASP SECURITY LABELING SYSTEM. This Web Application is labeled under the OWASP security labeling system with the purpose of making security VISIBLE for everybody. THIS IS A SECURITY COMPROMISE BETWEEN THE ADMINISTRATOR of this Web Application, and the end users. This system is only based on trust and reputation. OWASP denies any liability, or damage claims of any kind.
+==Security Label==
+[[File:Owasp-security-scaled.png]]
+SECURITY LABEL CLAUSE: Security starts with secure coding and mantainance. This Web application is following the security guidelines of the OWASP Application Security Verification Standard. Reports can be downloaded "here".
+==Privacy Label==
+[[File:Privacy-scaled.png]]
+PRIVACY LABEL CLAUSE: Security is about Trust. This Web application uses a scan policy based on the OWASP top ten Privacy project. Reports can be downloaded here.
+==Ingredients Label ==
+[[File:Owasp-ingredients-scaled.png]]
+INGREDIENTS LABEL CLAUSE: Security is about Transparency. This Web application  discloses a list of all its components and third party code, including source code, plug-ins, shared libraries. Reports can be downloaded here.
+==Openness Label ==
+[[File:Openness-scaled.png]]
+OPENNESS LABEL CLAUSE: Security is about Transparency. This Web application is regularly scanned by a policy based on the OWASP top ten project. Reports can be downloaded here.
+THIS COMPROMISE IS VALID AS LONG AS THE WEB APPLICATION IS REGISTERED INTO THE OWASP SECURITY LABELING SYSTEM RECORDS.
+=FAQs=
+''' Why creating a security labeling system is important?'''
+: Making security more visible.
+: Is a transnational and market wise solution.
+: It is based on trust and reputation.
+: Visual, and easy to apply.
+: Different labeling categories for different purposes.
+'''Which security labels can I add to my Software?'''
+: '''S'''ecurity label (S).
+: '''P'''rivacy label (P).
+: '''I'''ngredients label (I).
+: '''O'''penness label (O).
+'''What is the Security label (S) about?'''
+: Web Applications must be developed and maintained with a security orientation.
+'''Why is the Security label (S) relevant?'''
+: Users have the right to know if web applications are secure enough. This is the main purpose of OWASP. Currently we propose using the AVSV standard as it provides a basis for testing web application technical security controls.
+'''What is the Privacy label (P) about?'''
+: Surveillance code, misuse of personal data, and non-transparent policies are as dangerous as code vulnerabilities.
+'''Why is the Privacy label relevant?'''
+:  Users have the right to know how their information is processed and stored. We propose developing a privacy scan policy based on the OWASP Top Ten Privacy Project.
+'''What is the Ingredients label (I) about?'''
+: Is about exposing all the components of your software, such as API's, and shared libraries.
+'''Why is the Ingredients label (I) relevant?'''
+: Because it will help developers and users to identify properly third party code, evaluate the risks of using it,
+: avoid non intentional license compatibility controversies, and so forth.
+'''What is the Openness label (O) about?'''
+: It is dedicated to rate security. Web Applications will expose their vulnerabilities of the
+: last vulnerability scan the public. They will have the time to patch them until the next vulnerabilities scan.
+: The scans should be fixed in a regular basis(e.g. each week).
+'''Why is the Openness label (O) relevant?'''
+: Vulnerabilities such as XSS scripting and SQL injection must be efficiently fixed.
+: Scan policies must be based on the OWASP Top ten Project.
+= Acknowledgements =
+==Volunteers==
+The OWASP Security Labeling System is developed by a worldwide team of volunteers. The primary contributors to date have been:
+* Luis Enriquez (Copyright & IT Lawyer)
+* Jeff Williams (Computer Security Expert)
+= Road Map and Getting Involved =
+The priorities of the OWASP Security Labeling System are:
+'''(1) Create and Distribute opinion polls to different sides involved in the IT environment'''(such as software developers, e-commerce agents, IT security firms, Cyber communities, Internet rights NGOs, lawyers, and of course, users).
--  Follow Security and verification standards.  Standards of Security analysis such as the OWASP ASVS standard project.  There is a lack of computer security standards (Do you  think the ISO/IEC 27034-1  could help to our labeling system?).
--  Include security clauses in contracts?.  It would be great to include the legal framework. We could depart from the OWASP secure software contract annex as another source of our labeling system. However, I found a couple issues. (1) Clauses can be changed and adapted.  It would rarely be taken as a whole.  (2) Most contracts are not open to negotiation, and don't have a particular user (Think about an EULA).
+'''(2) Create the most suitable methodology for the security labeling system'''. At this point seems that the best methodology is to create a logo and a declaration. The logo must be visible within the web application, and linked to the declaration and reports stored on the OWASP security labeling system records. The declaration may also be included within the web application, or as part of IT contracts, copyright licenses(additional terms for public licenses), terms of service, or privacy policies.
-I believe the solution would be to create a Soft Law instrument, something like 'the OWASP security software principles' (Soft law instruments such as the principles of the UNIDROIT in International commercial contracts), which includes all the principles and rules contained in the Software Contract Annex. It would be easier to just refer to all the OWASP principles including a Software security clause in the Contract.
+'''(3) Create a secure server in order to generate genuine certificates for the labeled web applications. '''WE ARE HERE
+'''(4) Evaluate the labeling system with a voluntary Application on the Internet.''' This application will be promoted as the first Labeled application. We would start with the '''OPENNESS LABEL''' If the results are good enough, we will add the other labels.
+'''(4) Open the labeling system for any Application''' The OWASP labeling system volunteers will contribute to check that the system is working properly. The labels can always be removed.
+Involvement in the development and promotion of the OWASP Security Labeling System is actively encouraged!
+You do not have to be a security or legal expert in order to contribute.
+Some of the ways you can help:
+* Get into the testing program.
+* Improve the system.
+* Translate the documents to other languages.
+* Improve this wiki.
+---------------------------------------------------------------
+=DEMO (Web Apps)=
+'''''/*This example shows how to apply the OWASP Security Labeling system clauses into your Web Site's TERMS AND CONDITIONS. They should be placed inside an OWASP Security Labeling System section. The labeling logos could be placed in your anywhere as long as they remain visible. (as in the front page of this Website, as widget). This Web Site uses 3 labels: Security, Privacy, and Openness */'''''
+'''''/*FIRST: The logos could be placed in the front page of the website: */'''''
+[[File:Labelingsystem-widget.png]]
+'''''/*SECOND: Add the OWASP Security Labeling System clause to your Terms and Conditions: */'''''
+''Please read carefully the following terms and conditions before registering and using this WebSite:''
+. OWASP SECURITY LABELING SYSTEM. This Web Application is labeled under the OWASP security labeling system with the purpose of making security VISIBLE for everybody. THIS IS A SECURITY COMPROMISE BETWEEN THE ADMINISTRATOR of this Web Application, and the end users. This system is only based on trust and reputation. OWASP denies any liability, or damage claims of any kind.
+SECURITY LABEL CLAUSE: Security starts with secure coding and maintainance. This Web application is following the security guidelines of the OWASP Application Security Verification Standard. Reports can be downloaded "here".
+PRIVACY LABEL CLAUSE: Security is about Trust. This Web application uses a scan policy based on the OWASP top ten Privacy project. Reports can be downloaded here.
+OPENNESS LABEL CLAUSE: Security is about Transparency. This Web application is regularly scanned by a policy based on the OWASP top ten project. Reports can be downloaded here.
+THIS COMPROMISE IS VALID AS LONG AS THIS WEB APPLICATION IS REGISTERED INTO THE OWASP SECURITY LABELING SYSTEM RECORDS.
+.LIABILITY:'''/*(from here, clauses are not important)*/'''
+-  By signing this agreement, the user assumes complete responsibility over their own uploaded content, including posts, comments, and forums. The FOSS lawyers Institute denies any liability and damages of any kind, concerning contents uploaded by the users.
+.INTELLECTUAL PROPERTY:
+- The contents published in this website are licensed by default using the CC by NC license. User's cannot publish works violating the copyrights of others. Such contents will be deleted.
+. TERMINATION:
+- You can always close your account in this website. We also reserve the right of closing user's accounts if they infringe the terms and conditions of this website.
-(3) STAGE THREE: Application of the labeling system (How to make the labels. No graphics yet). We need ideas here. I am thinking about 4 different kinds of OWASP labels ( Please send your proposals). This is just an idea:
-- Ingredients criterion label (I).  This label certifies that the software reveals all software components compiled in the binaries(if not FOSS) and used during development. (eg. Shared libraries, APIs, and so on).
-- Security 'good enough' criterion label (S).  This would be the standard certification label.  This label certifies that the software is 'good enough' because follows good security practices in its development life cycle, updates and security patches.
+=Project About=
+{{:Projects/OWASP_Security_Labeling_System_Project}}
-- Legal 'good enough' criterion label (L).  This is an additional label in case that the contract  includes  security software clauses following the OWASP principles.
+__NOTOC__ <headertabs />
-- Disclosure of vulnerabilities criterion label (D).  This label consists in the open disclosure of vulnerabilities of the software or Web Applications to the users.  Perhaps not many enterprises or web administrators will like to reveal their vulnerabilities. However, the proposal is interesting."
+[[Category:OWASP Project]]
+[[Category:OWASP_Builders]]
+[[Category:OWASP_Defenders]]
+[[Category:OWASP_Document]]