This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Industry:ICO Data Sharing CoP

Revision as of 18:15, 19 January 2011 by Clerkendweller (talk | contribs) (Status closed / Deadline date correction)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Global Industry Committee

Activity Name ICO Data Sharing CoP
Short Description Provide response to "Data Sharing Code of Practice Consultation"
Related Projects None
Email Contacts & Roles Primary
Colin Watson
Alexander Fry
Mailing list
Please use the Industry Committee list
  • Review CoP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
  • 15 Oct 2010 - Complete first draft response
  • 25 Oct 2010 - Circulate to OWASP UK chapters and GIC mailing lists
  • 30 Oct 2010 - Prepare final version
  • 24 Dec 2010 - Submit to ICO
  • Closed
Resources Consultation document

Consultation questions

Press release

Response submission by email to [email protected] by 5th January 2011

Submission Response

Latest first

Final version


Draft Text version 1


This official response has been submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee, following our own consultation process.


The OWASP response only replies to two questions.

6. Is the code relevant to the types of data sharing your organisation is involved in? If not, which additional areas should we cover?

In "Technical Security" on page 15, there is no mention of websites, yet these are one of the common channels that lead to personal data breaches. Our suggestion is to add an item: "If personal data is collected or processed using a web site or mobile application, have the most common security risks been identified, removed or mitigated?"

This could reference as footnotes, or in other supporting materials, the following free guidance documents:

10. Is there anything else you think the code should cover or are there any other ways in which you think the code could be improved?

In "technical security" on page 15, we believe "is your information encrypted" is too simplistic. Many difficulties exist in implementing encryption properly and problems can be introduced in unexpected ways. Whilst we understand this document cannot provide all the detail required, a better question would be "How is encryption implemented and managed?"

On page 17 in the discussion of data standards, non-Latin characters are mentioned, but the more generic issues of encoding (e.g. UTF-8) and escaping are not. These are significant factors in successful data sharing and for ensuring the integrity of the data once it has been exported from one system and imported into another. If not properly defined and implemented, data that is safe in one system might actively exploit a weakness in another leading to data loss, destruction, etc (e.g. by SQL injection). Our suggestion is to add after "capabilities of its system.", a new sentence "Ensure the data are correctly encoded and escaped when output so they can safely be used by the receiving system.".


to be added in final draft

Return to Global Industry Committee