Latest revision as of 14:06, 3 June 2009

Charter

The OWASP Intrinsic Security Working Group (ISWG) is a small, representative body of OWASP members whose primary goal is to help all the organizations involved in making web applications work on the Internet today. This involves proposing new functionality and advising how to improve existing functionality.

In order to accomplish these goals, the ISWG will focus their energy on the following tasks:

• collect ideas from the OWASP community on how to secure the infrastructure of the web (including regarding browser features, influencing W3C standards, updating relevant RFCs, working with framework vendors)
• create precise, organized and technical arguments for the acceptance of a community idea
• communicate that idea to the appropriate stakeholder

Depending on the issue or idea, the ISWG may either create a draft for issuance to a stakeholder and then ask the OWASP community for input, or allow the draft be entirely crowdsourced and then perform final edits. Agile communications may be needed for faster moving organizations in which case the "point person" for the organization will have to keep notes of their conversations and try to best accommodate the target organization.

Joining the ISWG

If you are interested in joining the ISWG, please express your interest to an existing ISWG member or send a message to the ISWG mailing list. The ISWG are definitely seeking highly motivated individuals who are familiar with the hurdles of the current web application infrastructure and are capable of tackling issues in a non-combative way. The ISWG is not interested in nonconstructive arguments or those that would exhibit uncooperative behavior towards any of the stakeholders involved. We need respectful, technical and creative people who want to put the work in to create a better Internet architecture.

We need people who are good technologists to create scientific arguments. However, it is actually more important that we incorporate people that are motivated, persistent and strong communicators to "get us in the door" to an organization or community and help craft a convincing message.

Working Group Members

The members of the OWASP Intrinsic Security Working Group (ISWG) include the following members who collectively represent both the security community and the service industry whose customers are directly affected by the decisions made by the organizations we want to interact with:

• Arshan Dabirsiaghi, Aspect Security
• Jim Manico, Aspect Security
• Ivan Ristic, Breach Security
• Dinis Cruz, Ounce Labs
• Mario Heiderich, Independent Security Researcher
• Stefano Di Paolo, Minded Security
• Tom Stripling, SecurityPS
• Dave Wichers, Aspect Security
• Jeff Williams, Aspect Security
• Sebastien Deleersnyder, OWASP Board Member
• Kuai Hinojosa, NYU
• Venkatesh Jagannathan, Cognizant
• Bil Corry
• Tom Brennan, WhiteHat Security

Ongoing Collaborations / Relationships

Input on W3C Workshop on device API security

Currently input (people / ideas) is requested to provide OWASP input on an upcoming W3C Workshop on device API security. A working page with details is started at ISWG - W3C Workshop on device API security.

Monthly Reports

The status reports indicate self-prescribed goals, deadlines, and progress on a month-by-month basis since the inception of the Intrinsic Security Working Group.

2009

March-April
January-February

2008

December
November
October
September

Publications

On May 4, 2009, the ISWG published "A Gap Analysis of Application Security in Struts2", a research project that will hopefully show architects and developers what attacks must be compensated for when building a Struts2 application and how the framework could improve its security. The document is available here.