This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Positive Security Project"
Camargoneves (talk | contribs) (→References) |
Dinis.cruz (talk | contribs) |
||
| (38 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | == Welcome to the Positive Security Project | + | {{taggedDocument |
| + | | type=historical | ||
| + | }} | ||
| + | |||
| + | = Welcome to the Positive Security Project = | ||
A common approach on most companies is adequate the protection of their assets as part of a post mortem lessons learned process. A web site changes, data compromised and unavailability as a result of a DoS attack are common examples on a start point to accept the existence of security flaws and initiate the security enhancement to avoid future occurrences. Even in these cases the adequate security is not always performed as a consequence of the enhancement process and the most common result is to allocate efforts on the problem’s source and simply forget about the rest. | A common approach on most companies is adequate the protection of their assets as part of a post mortem lessons learned process. A web site changes, data compromised and unavailability as a result of a DoS attack are common examples on a start point to accept the existence of security flaws and initiate the security enhancement to avoid future occurrences. Even in these cases the adequate security is not always performed as a consequence of the enhancement process and the most common result is to allocate efforts on the problem’s source and simply forget about the rest. | ||
| Line 7: | Line 11: | ||
The broader vision for this project is to work for change in the software market. To increase application security, we need to make it possible for people to make informed decisions about the software they buy. Then the market can work to encourage security. To enable informed decisions, we need real information about the people, process, and technology used to create an application. And that means we need positive disclosure. The negative approach to security leads to the penetrate-and-patch hamster wheel of pain security management process. The time has come to be positive and proactive. | The broader vision for this project is to work for change in the software market. To increase application security, we need to make it possible for people to make informed decisions about the software they buy. Then the market can work to encourage security. To enable informed decisions, we need real information about the people, process, and technology used to create an application. And that means we need positive disclosure. The negative approach to security leads to the penetrate-and-patch hamster wheel of pain security management process. The time has come to be positive and proactive. | ||
| − | = | + | |
| + | = Get Involved on Positive Security = | ||
'''What is Positive Security?''' | '''What is Positive Security?''' | ||
| Line 13: | Line 18: | ||
Positive security focuses on verifying that security controls are present, properly implemented, and used in all the right places. It involves white lists and only allowing what's specifically allowed. And it involves disclosing what a company does to ensure the security of the software it produces (positive disclosure). Disclosing vulnerabilities (negative disclosure/full disclosure) has a role in the market, but the metrics produced are meaningless. | Positive security focuses on verifying that security controls are present, properly implemented, and used in all the right places. It involves white lists and only allowing what's specifically allowed. And it involves disclosing what a company does to ensure the security of the software it produces (positive disclosure). Disclosing vulnerabilities (negative disclosure/full disclosure) has a role in the market, but the metrics produced are meaningless. | ||
| − | '''How to Adopt a Positive Security Approach? (For | + | '''How to Adopt a Positive Security Approach? (For Suppliers)''' |
| + | * An Overview of the Positive Security Approach - The Supplier Side | ||
'''How to Adopt a Positive Security Approach? (For Customers)''' | '''How to Adopt a Positive Security Approach? (For Customers)''' | ||
| + | * An Overview of the Positive Security Approach - The Customer Side | ||
| + | * How to sell the Positive Security Approach within your company | ||
| + | * How to explain the Positive Security Approach amongst your IT colleagues | ||
| + | * How to explain the Positive Security Approach for your internal customers | ||
| + | |||
| + | '''Public Resources on Positive Security (Companies Related)''' | ||
| + | * [http://msdn.microsoft.com/en-us/security/cc448177.aspx Microsoft Security Development Lifecycle (SDL)] (English) | ||
| + | |||
| + | '''Public Resources on Positive Security (Government Related)''' | ||
| + | * [http://www.adacore.com/home/gnatpro/tokeneer/ The Tokeneer Project]: In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High Integrity Systems to undertake a research project to develop part of an existing secure system (the Tokeneer System) in accordance with Praxis’ Correctness by Construction development process. This development and research work has now been made available by the NSA to the software development and security communities in an effort to prove that it is possible to develop secure systems rigorously in a cost effective manner. | ||
| − | ''' | + | '''Public Resources on Positive Security (Community Related)''' |
| + | * [http://www.ejemplo.com Título del enlace] | ||
| − | ''' | + | |
| + | |||
| + | |||
| + | |||
| + | The Positive Security Index | ||
| + | |||
| + | = Updates = | ||
| + | |||
| + | '''28 October 2008 | ||
| + | ''' | ||
| + | * Page layout changed to include more resources | ||
| + | |||
| + | '''23 September 2008''' | ||
| + | |||
| + | * The Top 50 Software Companies list was updated with relative information and links to companies' resources on Positive Security. | ||
| + | |||
| + | |||
| + | = Get Involved = | ||
Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process. | Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process. | ||
| − | == | + | = Top 50 Software Companies = |
| + | |||
| + | The Top 50 Software Companies were defined following The Big International Software Index, published at [http://www.softwaretop100.org/ Software Top 100 web site] and these companies are being studied to understand what kind of approach they maintain to deal with IT Security and if the material can be useful as reference for the Positive Security Project. This list was also defined as the reference for the [https://www.owasp.org/index.php/OWASP_Corporate_Application_Security_Rating_Guide OWASP Corporate Application Security Rating Guide]. | ||
| + | |||
| + | For each company listed, the following information are stated on this page: | ||
| + | |||
| + | * '''Summary:''' A brief description of the company, normally copied from Wikipedia or their own website. | ||
| − | ''' | + | * '''Related Websites:''' Links to these companies’ websites where information on Positive Security Approach is published and available for public use. |
| − | + | * '''Related Resources:''' Documents, methodologies, presentations and all other resources directly related to the Positive Security approach which are available for the community. | |
''Note: All links and supportive information was directly collected from the software companies' web sites without any change or adjustment. Please read it understanding that some marketing approach may be in use and apply your own critical view. :-)'' | ''Note: All links and supportive information was directly collected from the software companies' web sites without any change or adjustment. Please read it understanding that some marketing approach may be in use and apply your own critical view. :-)'' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | (02 | + | == 01. Microsoft == |
| + | |||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Microsoft Corporation is an American multinational computer technology corporation, which rose to dominate the home computer operating system market with MS-DOS in the mid-1980s, followed by the Windows line of operating systems. It develops, manufactures, licenses, and supports a wide range of software products for computing devices. Microsoft CTO and Senior Vice President Craig Mundie authored a whitepaper in 2002, defining the framework of the company’s Trustworthy Computing program. Four areas were identified as the initiative’s key “pillars”. Microsoft has subsequently organized its efforts to align with these goals. These key activities are set forth as: Security, Privacy, Reliability and Business Integrity. [http://en.wikipedia.org/wiki/Microsoft (Ref.1)] [http://en.wikipedia.org/wiki/Trustworthy_Computing (Ref.2)] | ||
| + | |||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.microsoft.com/security/default.mspx Microsoft Security Main Page]: Provides links and general information about several information security related initiatives and strategies at Microsoft. | ||
| + | |||
| + | * [http://msdn.microsoft.com/en-us/security/cc448177.aspx Microsoft Security Development Lifecycle (SDL)]: Main website for Microsoft's SDL, a company-wide initiative and a mandatory policy since 2004. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. | ||
| + | |||
| + | '''Related Resources''' | ||
| + | * [http://msdn.microsoft.com/en-us/security/cc420639.aspx The Microsoft Security Development Lifecycle (SDL): Process Guidance] | ||
| + | |||
| + | == 02. IBM == | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
| + | |||
(03) Oracle | (03) Oracle | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(04) SAP | (04) SAP | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(05) HP | (05) HP | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(06) Symantec | (06) Symantec | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(07) Computer Associates | (07) Computer Associates | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(08) Electronic Arts | (08) Electronic Arts | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(09) Adobe | (09) Adobe | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(10) Nintendo | (10) Nintendo | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(11) EMC | (11) EMC | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(12) Autodesk | (12) Autodesk | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(13) NCR | (13) NCR | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(14) Activision | (14) Activision | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(15) Cisco | (15) Cisco | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(16) SunGard | (16) SunGard | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(17) BMC | (17) BMC | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(18) Intuit | (18) Intuit | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(19) Cadence | (19) Cadence | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(20) Dassault | (20) Dassault | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(21) THQ | (21) THQ | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(22) Synopsys | (22) Synopsys | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(23) Vivendi Universal Games | (23) Vivendi Universal Games | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(24) Take 2 Interactive | (24) Take 2 Interactive | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(25) SAS Institute | (25) SAS Institute | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(26) Citrix | (26) Citrix | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
| + | |||
(27) BEA | (27) BEA | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
| + | |||
(28) UGS | (28) UGS | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(29)Cognos | (29)Cognos | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(30 Reynolds & Reynolds | (30 Reynolds & Reynolds | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(31) Compuware | (31) Compuware | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(32) Trend Micro | (32) Trend Micro | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(33) Qualcomm | (33) Qualcomm | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(34) Apple | (34) Apple | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(35) Novell | (35) Novell | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(36) Sage | (36) Sage | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(37) Misys | (37) Misys | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(38) Infor | (38) Infor | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(39) McAfee | (39) McAfee | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(40) Business Objects | (40) Business Objects | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(41) Hyperion Solutions | (41) Hyperion Solutions | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(42) Parametric Technology | (42) Parametric Technology | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(43) Sybase | (43) Sybase | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(44) Fair Isaac | (44) Fair Isaac | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(45) Checkpoint | (45) Checkpoint | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(46) Mentor Graphics | (46) Mentor Graphics | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(47) Software AG | (47) Software AG | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(48) Intergraph | (48) Intergraph | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(49) Philips | (49) Philips | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
(50) Eclipsys | (50) Eclipsys | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | Here is the text. | ||
| + | |||
| + | '''Public Resources''' | ||
| + | |||
| + | * [http://www.wikimedia.org Resource]: Resource Description. | ||
| + | |||
| + | '''Related Websites''' | ||
| + | |||
| + | * [http://www.wikimedia.org Website] | ||
Latest revision as of 14:19, 25 September 2016
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
(Please help OWASP and provide the Links '| link=<Name of the Page>| link1=<Name of the 2nd Pge>| link2=<Name of the 3rd Page>' to the latest content, see FixME)
Welcome to the Positive Security Project
A common approach on most companies is adequate the protection of their assets as part of a post mortem lessons learned process. A web site changes, data compromised and unavailability as a result of a DoS attack are common examples on a start point to accept the existence of security flaws and initiate the security enhancement to avoid future occurrences. Even in these cases the adequate security is not always performed as a consequence of the enhancement process and the most common result is to allocate efforts on the problem’s source and simply forget about the rest.
The Positive Security Project was initiated on the OWASP Summer of Code 2008 as a long term initiative to support a continuous learning process for the market on adopt a “positive security attitude” as part of their common IT management practices through a marketing campaign to encourage a positive approach.
The broader vision for this project is to work for change in the software market. To increase application security, we need to make it possible for people to make informed decisions about the software they buy. Then the market can work to encourage security. To enable informed decisions, we need real information about the people, process, and technology used to create an application. And that means we need positive disclosure. The negative approach to security leads to the penetrate-and-patch hamster wheel of pain security management process. The time has come to be positive and proactive.
Get Involved on Positive Security
What is Positive Security?
Positive security focuses on verifying that security controls are present, properly implemented, and used in all the right places. It involves white lists and only allowing what's specifically allowed. And it involves disclosing what a company does to ensure the security of the software it produces (positive disclosure). Disclosing vulnerabilities (negative disclosure/full disclosure) has a role in the market, but the metrics produced are meaningless.
How to Adopt a Positive Security Approach? (For Suppliers)
- An Overview of the Positive Security Approach - The Supplier Side
How to Adopt a Positive Security Approach? (For Customers)
- An Overview of the Positive Security Approach - The Customer Side
- How to sell the Positive Security Approach within your company
- How to explain the Positive Security Approach amongst your IT colleagues
- How to explain the Positive Security Approach for your internal customers
Public Resources on Positive Security (Companies Related)
Public Resources on Positive Security (Government Related)
- The Tokeneer Project: In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High Integrity Systems to undertake a research project to develop part of an existing secure system (the Tokeneer System) in accordance with Praxis’ Correctness by Construction development process. This development and research work has now been made available by the NSA to the software development and security communities in an effort to prove that it is possible to develop secure systems rigorously in a cost effective manner.
Public Resources on Positive Security (Community Related)
The Positive Security Index
Updates
28 October 2008
- Page layout changed to include more resources
23 September 2008
- The Top 50 Software Companies list was updated with relative information and links to companies' resources on Positive Security.
Get Involved
Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process.
Top 50 Software Companies
The Top 50 Software Companies were defined following The Big International Software Index, published at Software Top 100 web site and these companies are being studied to understand what kind of approach they maintain to deal with IT Security and if the material can be useful as reference for the Positive Security Project. This list was also defined as the reference for the OWASP Corporate Application Security Rating Guide.
For each company listed, the following information are stated on this page:
- Summary: A brief description of the company, normally copied from Wikipedia or their own website.
- Related Websites: Links to these companies’ websites where information on Positive Security Approach is published and available for public use.
- Related Resources: Documents, methodologies, presentations and all other resources directly related to the Positive Security approach which are available for the community.
Note: All links and supportive information was directly collected from the software companies' web sites without any change or adjustment. Please read it understanding that some marketing approach may be in use and apply your own critical view. :-)
01. Microsoft
Summary
Microsoft Corporation is an American multinational computer technology corporation, which rose to dominate the home computer operating system market with MS-DOS in the mid-1980s, followed by the Windows line of operating systems. It develops, manufactures, licenses, and supports a wide range of software products for computing devices. Microsoft CTO and Senior Vice President Craig Mundie authored a whitepaper in 2002, defining the framework of the company’s Trustworthy Computing program. Four areas were identified as the initiative’s key “pillars”. Microsoft has subsequently organized its efforts to align with these goals. These key activities are set forth as: Security, Privacy, Reliability and Business Integrity. (Ref.1) (Ref.2)
Related Websites
- Microsoft Security Main Page: Provides links and general information about several information security related initiatives and strategies at Microsoft.
- Microsoft Security Development Lifecycle (SDL): Main website for Microsoft's SDL, a company-wide initiative and a mandatory policy since 2004. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process.
Related Resources
02. IBM
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(03) Oracle
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(04) SAP
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(05) HP
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(06) Symantec
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(07) Computer Associates
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(08) Electronic Arts
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(09) Adobe
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(10) Nintendo
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(11) EMC
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(12) Autodesk
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(13) NCR
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(14) Activision
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(15) Cisco
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(16) SunGard
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(17) BMC
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(18) Intuit
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(19) Cadence
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(20) Dassault
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(21) THQ
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(22) Synopsys
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(23) Vivendi Universal Games
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(24) Take 2 Interactive
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(25) SAS Institute
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(26) Citrix
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(27) BEA
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(28) UGS
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(29)Cognos
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(30 Reynolds & Reynolds
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(31) Compuware
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(32) Trend Micro
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(33) Qualcomm
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(34) Apple
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(35) Novell
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(36) Sage
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(37) Misys
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(38) Infor
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(39) McAfee
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(40) Business Objects
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(41) Hyperion Solutions
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(42) Parametric Technology
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(43) Sybase
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(44) Fair Isaac
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(45) Checkpoint
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(46) Mentor Graphics
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(47) Software AG
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(48) Intergraph
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(49) Philips
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
(50) Eclipsys
Summary
Here is the text.
Public Resources
- Resource: Resource Description.
Related Websites
