This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Summit 2011 Working Sessions/Session073"
(Content additions) |
|||
Line 7: | Line 7: | ||
|- | |- | ||
− | | short_working_session_description= Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security. Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of | + | | short_working_session_description= |
+ | |||
+ | [[File:Banner-privacypush-1.png]] | ||
+ | |||
+ | Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security. Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of application vulnerabilities. | ||
|- | |- | ||
− | | related_project_name1 = | + | | related_project_name1 = Application Security Verification Standard - V9 Data Protection |
− | | related_project_url_1 = | + | | related_project_url_1 = http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project |
− | | related_project_name2 = | + | | related_project_name2 = Application Security Desk Reference (ASDR) - Vulnerabilities - Privacy Violation |
− | | related_project_url_2 = | + | | related_project_url_2 = http://www.owasp.org/index.php/Privacy_Violation |
| related_project_name3 = | | related_project_name3 = | ||
Line 28: | Line 32: | ||
|- | |- | ||
− | | summit_session_objective_name1= | + | | summit_session_objective_name1= Discuss whether OWASP needs to be more proactive about privacy |
− | | summit_session_objective_name2 = Brief participants on the issues and recent legislation/regulation | + | | summit_session_objective_name2 = Brief participants on the issues and recent drivers/legislation/regulation |
− | | summit_session_objective_name3 = | + | | summit_session_objective_name3 = Define how we build PII/data protection matters into existing tools and resources |
| summit_session_objective_name4 = Identify gaps | | summit_session_objective_name4 = Identify gaps | ||
Line 52: | Line 56: | ||
|- | |- | ||
− | | working_session_additional_details = | + | | working_session_additional_details = The protection of personal data has been an important concern of organisations, especuially in Europe where European legislation has driven continent-wide adoption. In North America, the US HIPAA and Canadian Privacy Act have driven privacy initiatives. With the adoption of principles and processes such as "privacy by design", "privacy impact assessments" and "building privacy in", backed with strong regulation, organizations are having to make privacy a central part of their business practices. Growing public concern about use of their personal data, mis-use by organizations and personal data breaches are leading to increased, rather than decreased government intervention in this area. Privacy issues are nothing new, but some more recent examples are: |
+ | |||
+ | * [http://www.ftc.gov/opa/2010/12/privacyreport.shtm US Federal Trade Commission (FTC) Preliminary Staff Report on Privacy], 12 December 2010 | ||
+ | * [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2010-0484+0+DOC+XML+V0//EN&language=EN European Parliament Asks the European Commission to Protect Online Users from Advertising], 15 December 2010 | ||
+ | * [http://news.cnet.com/8301-31921_3-20025950-281.html?part=rss&subj=news&tag=2547-1_3-0-20 Members Appointed to US Privacy and Civil Liberties Oversight Board], 16 December 2010 | ||
+ | * [http://www.commerce.gov/news/press-releases/2010/12/16/commerce-department-unveils-policy-framework-protecting-consumer-privUS Department of Commerce Publishes Green Paper Recommending Creation of a Privacy 'Bill of Rights' for Internet Users], 16 December 2010 | ||
+ | |||
+ | Can we map projects (tools and sections in resources) to business drivers such as "privacy"? | ||
+ | |||
+ | Privacy aspects are referred to through the wiki (including projects): | ||
+ | |||
+ | [[File:Owasp-org-privacy-counts.png]] | ||
+ | |||
+ | But there is not any central guide, and perhaps what there is, does not have enough depth. ASVS includes a whole verification topic about data protection and the ASDR has a page on privacy as a "vulnerability". The OWASP Top ten 2010 mentions personal data in the context of insecure cryptographic storage, but privacy protection is of course much wider than encrypting data. It is of course much wider than application security: | ||
+ | |||
+ | [[File:Privacy-context.png]] | ||
+ | |||
+ | But is OWASP offering the correct guidance in this area? Should OWASP be doing more? | ||
|- | |- |
Revision as of 19:59, 23 December 2010
Global Summit 2011 Home Page
Global Summit 2011 Tracks
{{{summit_ws_logo}}} Privacy - Personal Data/PII, Legislation and OWASP | ||||||
---|---|---|---|---|---|---|
Please see/use the 'discussion' page for more details about this Working Session | ||||||
Working Sessions Operational Rules - Please see here the general frame of rules. |
WORKING SESSION IDENTIFICATION | ||||||
---|---|---|---|---|---|---|
Short Work Session Description |
Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security. Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of application vulnerabilities. | |||||
Related Projects (if any) |
| |||||
Email Contacts & Roles | Chair Colin Watson @ |
Operational Manager |
Mailing list {{{mailing_list}}} |
WORKING SESSION SPECIFICS | ||||||
---|---|---|---|---|---|---|
Objectives |
| |||||
Venue/Date&Time/Model | Venue/Room OWASP Global Summit Portugal 2011 |
Date & Time
|
Discussion Model participants and attendees |
|
---|
WORKING SESSION OPERATIONAL RESOURCES | ||||||
---|---|---|---|---|---|---|
Projector, whiteboards, markers, Internet connectivity, power |
|
---|
WORKING SESSION ADDITIONAL DETAILS | ||||||
---|---|---|---|---|---|---|
The protection of personal data has been an important concern of organisations, especuially in Europe where European legislation has driven continent-wide adoption. In North America, the US HIPAA and Canadian Privacy Act have driven privacy initiatives. With the adoption of principles and processes such as "privacy by design", "privacy impact assessments" and "building privacy in", backed with strong regulation, organizations are having to make privacy a central part of their business practices. Growing public concern about use of their personal data, mis-use by organizations and personal data breaches are leading to increased, rather than decreased government intervention in this area. Privacy issues are nothing new, but some more recent examples are:
Can we map projects (tools and sections in resources) to business drivers such as "privacy"? Privacy aspects are referred to through the wiki (including projects): But there is not any central guide, and perhaps what there is, does not have enough depth. ASVS includes a whole verification topic about data protection and the ASDR has a page on privacy as a "vulnerability". The OWASP Top ten 2010 mentions personal data in the context of insecure cryptographic storage, but privacy protection is of course much wider than encrypting data. It is of course much wider than application security: But is OWASP offering the correct guidance in this area? Should OWASP be doing more? |
WORKING SESSION OUTCOMES / DELIVERABLES | ||
---|---|---|
Proposed by Working Group | Approved by OWASP Board | |
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. |
Working Session Participants
(Add you name by clicking "edit" on the tab on the upper left side of this page)
WORKING SESSION PARTICIPANTS | ||||||
---|---|---|---|---|---|---|
Name | Company | Notes & reason for participating, issues to be discussed/addressed | ||||
Colin Watson |
{{{summit_session_attendee_company1}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1}}} | ||||
|
{{{summit_session_attendee_company2}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2}}} | ||||
|
{{{summit_session_attendee_company3}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3}}} | ||||
|
{{{summit_session_attendee_company4}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4}}} | ||||
|
{{{summit_session_attendee_company5}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5}}} | ||||
|
{{{summit_session_attendee_company6}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6}}} | ||||
|
{{{summit_session_attendee_company7}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7}}} | ||||
|
{{{summit_session_attendee_company8}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8}}} | ||||
|
{{{summit_session_attendee_company9}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9}}} | ||||
|
{{{summit_session_attendee_company10}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10}}} | ||||
|
{{{summit_session_attendee_company11}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11}}} | ||||
|
{{{summit_session_attendee_company12}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12}}} | ||||
|
{{{summit_session_attendee_company13}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13}}} | ||||
|
{{{summit_session_attendee_company14}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14}}} | ||||
|
{{{summit_session_attendee_company15}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15}}} | ||||
|
{{{summit_session_attendee_company16}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16}}} | ||||
|
{{{summit_session_attendee_company17}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17}}} | ||||
|
{{{summit_session_attendee_company18}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18}}} | ||||
|
{{{summit_session_attendee_company19}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19}}} | ||||
|
{{{summit_session_attendee_company20}}} |
{{{summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20}}} |