This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SpoC 007 - The OWASP Web Security Certification Framework

From OWASP
Revision as of 12:32, 13 July 2007 by Pauloc (talk | contribs)

Jump to: navigation, search

Back to SpoC 007 Selection page


AoC Candidate: Mark Curphey

Project coordinator: Dinis Cruz

Project Progress: 45% Complete, Progress Page

Mark Curphey – The OWASP Web Security Certification Framework

Problem

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

Solutions and Deliverables

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the; Standard

  • A complete auditable (important) web site security standard suitable for modern e-commerce companies including
         o The technical things people should care about
         o The operational / management things people should care about

Certification Model

  • A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.


Back to SpoC 007 Selection page

Retrieved from "https://wiki.owasp.org/index.php?title=SpoC_007_-_The_OWASP_Web_Security_Certification_Framework&oldid=19824"