This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Positive Security Project"
Camargoneves (talk | contribs) |
Camargoneves (talk | contribs) |
||
| Line 22: | Line 22: | ||
Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process. | Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process. | ||
| + | |||
| + | |||
| + | == References == | ||
| + | |||
| + | '''Top 50 Software Companies''' | ||
| + | |||
| + | The Top 50 Software Companies were defined following The Big International Software Index, published by at [http://www.softwaretop100.org/ Software Top 100 web site] and these companies are being studied to understand what kind of approach they maintain to deal with IT Security and if the material can be useful as reference for the Positive Security Project. This list was also defined as the reference for the [https://www.owasp.org/index.php/OWASP_Corporate_Application_Security_Rating_Guide OWASP Corporate Application Security Rating Guide]. | ||
| + | |||
| + | (01) Microsoft | ||
| + | |||
| + | (02) IBM | ||
| + | |||
| + | (03) Oracle | ||
| + | |||
| + | (04) SAP | ||
| + | |||
| + | (05) HP | ||
| + | |||
| + | (06) Symantec | ||
| + | |||
| + | (07) Computer Associates | ||
| + | |||
| + | (08) Electronic Arts | ||
| + | |||
| + | (09) Adobe | ||
| + | |||
| + | (10) Nintendo | ||
| + | |||
| + | (11) EMC | ||
| + | |||
| + | (12) Autodesk | ||
| + | |||
| + | (13) NCR | ||
| + | |||
| + | (14) Activision | ||
| + | |||
| + | (15) Cisco | ||
| + | |||
| + | (16) SunGard | ||
| + | |||
| + | (17) BMC | ||
| + | |||
| + | (18) Intuit | ||
| + | |||
| + | (19) Cadence | ||
| + | |||
| + | (20) Dassault | ||
| + | |||
| + | (21) THQ | ||
| + | |||
| + | (22) Synopsys | ||
| + | |||
| + | (23) Vivendi Universal Games | ||
| + | |||
| + | (24) Take 2 Interactive | ||
| + | |||
| + | (25) SAS Institute | ||
| + | |||
| + | (26) Citrix | ||
| + | (27) BEA | ||
| + | (28) UGS | ||
| + | |||
| + | (29)Cognos | ||
| + | |||
| + | (30 Reynolds & Reynolds | ||
| + | |||
| + | (31) Compuware | ||
| + | |||
| + | (32) Trend Micro | ||
| + | |||
| + | (33) Qualcomm | ||
| + | |||
| + | (34) Apple | ||
| + | |||
| + | (35) Novell | ||
| + | |||
| + | (36) Sage | ||
| + | |||
| + | (37) Misys | ||
| + | |||
| + | (38) Infor | ||
| + | |||
| + | (39) McAfee | ||
| + | |||
| + | (40) Business Objects | ||
| + | |||
| + | (41) Hyperion Solutions | ||
| + | |||
| + | (42) Parametric Technology | ||
| + | |||
| + | (43) Sybase | ||
| + | |||
| + | (44) Fair Isaac | ||
| + | |||
| + | (45) Checkpoint | ||
| + | |||
| + | (46) Mentor Graphics | ||
| + | |||
| + | (47) Software AG | ||
| + | |||
| + | (48) Intergraph | ||
| + | |||
| + | (49) Philips | ||
| + | |||
| + | (50) Eclipsys | ||
Revision as of 23:26, 6 July 2008
Welcome to the Positive Security Project
A common approach on most companies is adequate the protection of their assets as part of a post mortem lessons learned process. A web site changes, data compromised and unavailability as a result of a DoS attack are common examples on a start point to accept the existence of security flaws and initiate the security enhancement to avoid future occurrences. Even in these cases the adequate security is not always performed as a consequence of the enhancement process and the most common result is to allocate efforts on the problem’s source and simply forget about the rest.
The Positive Security Project was initiated on the OWASP Summer of Code 2008 as a long term initiative to support a continuous learning process for the market on adopt a “positive security attitude” as part of their common IT management practices through a marketing campaign to encourage a positive approach.
The broader vision for this project is to work for change in the software market. To increase application security, we need to make it possible for people to make informed decisions about the software they buy. Then the market can work to encourage security. To enable informed decisions, we need real information about the people, process, and technology used to create an application. And that means we need positive disclosure. The negative approach to security leads to the penetrate-and-patch hamster wheel of pain security management process. The time has come to be positive and proactive.
Positive Security Contents
What is Positive Security?
Positive security focuses on verifying that security controls are present, properly implemented, and used in all the right places. It involves white lists and only allowing what's specifically allowed. And it involves disclosing what a company does to ensure the security of the software it produces (positive disclosure). Disclosing vulnerabilities (negative disclosure/full disclosure) has a role in the market, but the metrics produced are meaningless.
How to Adopt a Positive Security Approach? (For suppliers)
How to Adopt a Positive Security Approach? (For Customers)
News
Get Involved
Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process.
References
Top 50 Software Companies
The Top 50 Software Companies were defined following The Big International Software Index, published by at Software Top 100 web site and these companies are being studied to understand what kind of approach they maintain to deal with IT Security and if the material can be useful as reference for the Positive Security Project. This list was also defined as the reference for the OWASP Corporate Application Security Rating Guide.
(01) Microsoft
(02) IBM
(03) Oracle
(04) SAP
(05) HP
(06) Symantec
(07) Computer Associates
(08) Electronic Arts
(09) Adobe
(10) Nintendo
(11) EMC
(12) Autodesk
(13) NCR
(14) Activision
(15) Cisco
(16) SunGard
(17) BMC
(18) Intuit
(19) Cadence
(20) Dassault
(21) THQ
(22) Synopsys
(23) Vivendi Universal Games
(24) Take 2 Interactive
(25) SAS Institute
(26) Citrix (27) BEA (28) UGS
(29)Cognos
(30 Reynolds & Reynolds
(31) Compuware
(32) Trend Micro
(33) Qualcomm
(34) Apple
(35) Novell
(36) Sage
(37) Misys
(38) Infor
(39) McAfee
(40) Business Objects
(41) Hyperion Solutions
(42) Parametric Technology
(43) Sybase
(44) Fair Isaac
(45) Checkpoint
(46) Mentor Graphics
(47) Software AG
(48) Intergraph
(49) Philips
(50) Eclipsys
