This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Statement on the Security of the Internet 2014

Revision as of 03:58, 31 January 2014 by Sarah Baso (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The OWASP (Open Web Application Security Project, community cares deeply about how much people can trust commonly used Internet services and the applications that provide and use these services. The reports about large-scale intelligence activities targeting Internet communication and applications and possible attempts to undermine cryptographic algorithms leave us deeply concerned. We knew about the interception of targeted individuals and other monitoring activities, however, the scale of recently reported activities and the possibility of active undermining of the security of deployed applications are alarming.

Of course, it is hard to know for sure from current reports which attack techniques may be in use and which secret agreements may be in place. As such, it is not so easy to comment on the specifics from an OWASP perspective. OWASP has long-standing general principles that we can talk about, and address some of the actions we are taking.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

  • We strongly believe trustworthy secure software and applications are an important cornerstone of human society and interactions of all people around the world.
  • We strongly believe that people, companies and governments must protect software security and must not intentionally weaken software security, security standards, or undermine the security of cryptographic algorithms.
  • We strongly believe that people, companies and governments must not intentionally introduce defects or vulnerabilities (or secret back-doors) compromising the security, trust and integrity of software and applications.

We think it is also important to point out that if vulnerabilities are introduced by people, governments or corporations to enable monitoring, this will not only have adverse effects on freedom and trust within human society, but sooner or later these vulnerabilities and weaknesses will also be found and exploited by malicious actors and criminals. Furthermore, the general population and companies will then be left without protection against these actors, undermining the very foundations of many software applications that support our daily lives, and with potentially world-wide catastrophic consequences.

The OWASP community wants to help build secure and deployable systems for all Internet users. Addressing security and new vulnerabilities has been the key strength of the OWASP community for more than a decade and technology alone is not the only factor. Education, operational practices, laws, and other similar factors also matter. We see the recent news and developments as a challenge, inspiring us to stand by our principles and work harder and do more to make the web and applications more secure. Eoin Keary, OWASP board member, pointed out: "OWASP cannot stand by and let the erosion of security occur; it is against our mission." We are confident that the OWASP community can do its part and we believe that OWASP security recommendations and tools, if used more widely, can help.

We should seize this opportunity to take a look at what we can do better going forward; not only think about all this just in light of the recent revelations. The security and privacy of the Internet in general is still a major challenge, even ignoring recent intelligence activities. Lessons can be drawn from the above that will be generally useful in many ways for years to come. And Tobias Gondrom, OWASP board member, voiced the hope, that “perhaps this year’s discussions can be the inspiring spark to motivate the world to become more security aware, address open issues and move from “insecure by default” to “secure by default”.”

Publicity and motivation are important, too. There is plenty to do for all of us, from users enabling additional security features to security experts, companies and governments ensuring that their users, products, services and applications are secure. OWASP is an open community and we invite everyone interested in working on this area to rise to this challenge and contribute to the analysis and develop ideas in this area together for our common future.