This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Positive Security Project

From OWASP
Revision as of 23:27, 28 October 2008 by Camargoneves (talk | contribs) (The Positive Security Project Index)

Jump to: navigation, search

Welcome to the Positive Security Project

A common approach on most companies is adequate the protection of their assets as part of a post mortem lessons learned process. A web site changes, data compromised and unavailability as a result of a DoS attack are common examples on a start point to accept the existence of security flaws and initiate the security enhancement to avoid future occurrences. Even in these cases the adequate security is not always performed as a consequence of the enhancement process and the most common result is to allocate efforts on the problem’s source and simply forget about the rest.

The Positive Security Project was initiated on the OWASP Summer of Code 2008 as a long term initiative to support a continuous learning process for the market on adopt a “positive security attitude” as part of their common IT management practices through a marketing campaign to encourage a positive approach.

The broader vision for this project is to work for change in the software market. To increase application security, we need to make it possible for people to make informed decisions about the software they buy. Then the market can work to encourage security. To enable informed decisions, we need real information about the people, process, and technology used to create an application. And that means we need positive disclosure. The negative approach to security leads to the penetrate-and-patch hamster wheel of pain security management process. The time has come to be positive and proactive.


Get Involved on Positive Security

What is Positive Security?

Positive security focuses on verifying that security controls are present, properly implemented, and used in all the right places. It involves white lists and only allowing what's specifically allowed. And it involves disclosing what a company does to ensure the security of the software it produces (positive disclosure). Disclosing vulnerabilities (negative disclosure/full disclosure) has a role in the market, but the metrics produced are meaningless.

How to Adopt a Positive Security Approach? (For Suppliers)

  • An Overview of the Positive Security Approach - The Supplier Side

How to Adopt a Positive Security Approach? (For Customers)

  • An Overview of the Positive Security Approach - The Customer Side
  • How to sell the Positive Security Approach within your company
  • How to explain the Positive Security Approach amongst your IT colleagues
  • How to explain the Positive Security Approach for your internal customers

Public Resources on Positive Security (Companies Related)

Public Resources on Positive Security (Government Related)

  • The Tokeneer Project: In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High Integrity Systems to undertake a research project to develop part of an existing secure system (the Tokeneer System) in accordance with Praxis’ Correctness by Construction development process. This development and research work has now been made available by the NSA to the software development and security communities in an effort to prove that it is possible to develop secure systems rigorously in a cost effective manner.

Public Resources on Positive Security (Community Related)



The Positive Security Project Index

Six Steps to Achieve Positive Security
TRACKS When you are a customer When you are a supplier
10:40-10:55 OWASP Enigform and mod_Openpgp (SoC 08)

Arturo Alberto Busleiman (a.k.a Buanzo)

OWASP Internationalization Guidelines (SoC 08)

Juan Carlos Calderon

11:00-11:15 OWASP OpenSign Server Project (SoC 08)

Mark Roxberry

OWASP Spanish Project (SoC 08)

Juan Carlos Calderon

11:20-11:35 OWASP AntiSamy (SoC 08)

Arshan Dabirsiaghi

OWASP Positive Security (SoC 08)

Eduardo Vianna de Camargo Neves

11:40-11:55 OWASP AppSensor (SoC 08)

Michael Coates

OWASP Source Code Review OWASP Projects (SoC 08)

James Walden

12:00-12:15 OWASP Securing WebGoat using ModSecurity (SoC 08)

Stephen Craig Evans, Christian Folini

OWASP Education (SoC 08 Working Session)

Sebastien Deleersnyder, Martin Knobloch

12:20-12:35 Pending
12:35-14:00 Lunch - Expo - CTF
TRACKS Track 3: Cutting Edge Tools Track 4: Security Guidance and Knowledge
14:00-14:15 OWASP Access Control Rules Tester Project (SoC 08)

Andrew Petukhov

OWASP Classic ASP Security Project (SoC 08)

Juan Carlos Calderon

14:20-14:35 OWASP Skavenger Project (SoC 08)

Matthias Rohr

OWASP .NET Project (SoC 08 & Working Session)

Mark Roxberry

14:40-14:55 OWASP JSP Testing Tool (SoC 08)

Jason Li

15:00-15:15 WebScarab-NG (SoC 08)

Rogan Dawes

Pending
15:20-15:35 OWASP Webslayer Project

Christian Martorella

OWASP Code Review Guide (SoC 08 & Working Session)

Eoin Keary

15:40-15:55 OWASP Live CD 2008 (SoC 08)

Matt Tesauro

16:00-16:15 OWASP Teachable Static Analysis Workbench (SoC 08)

Dmitry Kozlov

OWASP Backend Security Project (SoC 08)

Carlo Pelliccioni

16:20-16:35 OWASP Code Crawler (SoC 08)

Alessio Marziali

OWASP Application Security Desk Reference (ASDR) (SoC 08 & Working Session)

Leonardo Cavallari Militelli

16:40-16:55 OWASP Orizon Project (SoC 08)

Paolo Perego (aka thesp0nge)

17:00-17:15 OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project (SoC 08)

Dmitry Kozlov

OWASP Ruby on Rails Security Project (SoC 08)

Heiko Webers

17:20-17:35 Open Review Project

Dan Cornell

OWASP Testing Guide (SoC 08 & Working Session)

Matteo Meucci

17:40-17:55 OWASP Application Security Verification Standard Project (SoC 08)

Jeff Williams

19:00 OWASP Gala Dinner
OWASP


Friday, November 7, 2008
Track Track
09:00-10:00 Coffee
10:00-10:15 ISWG: Browser Security (Working Session) Certification (Working Session)
10:20-10:35 Enterprise Security API Project (Working Session) Awards (Working Session)
10:40-10:35 Tools Projects (Working Session) OWASP Website (Working Session) [2h]
11:00-11:15 ISWG:Web Application Framework Security (Working Session) Winter Of Code 2009 (Working Session)
11:20-11:35 Documentation Projects (Working Session) Strategic Planning for 2009 (Working Session)
11:40-11:55 OWASP Top 10 2009 (Working Session) Board Meeting (public session)
12:00-12:15 Intra Governmental Affairs (Working Session) OWASP Live CD&DVD (Working Session)
14:00-17:00 Board Meeting
17:00 Cocktail Party
OWASP

Corrections or Updates: Contact michael.coates{at}aspectsecurity.com

Updates

28 October 2008

  • Page layout changed to include more resources

23 September 2008

  • The Top 50 Software Companies list was updated with relative information and links to companies' resources on Positive Security.


Get Involved

Everyone has something to contribute. Sharing public available information on how companies are dealing with the Positive Security Attitude is well appreciated and also the vice-versa, where companies simply don’t care about their security controls until a problem occurs and a considerable impact. If you want to contribute to the project as an author, reviewer or in any other fashion, please send a message to owasp (at) camargoneves.com explaining what you can do and how much effort you can allocate to this non-profit volunteer process.


Top 50 Software Companies

The Top 50 Software Companies were defined following The Big International Software Index, published at Software Top 100 web site and these companies are being studied to understand what kind of approach they maintain to deal with IT Security and if the material can be useful as reference for the Positive Security Project. This list was also defined as the reference for the OWASP Corporate Application Security Rating Guide.

For each company listed, the following information are stated on this page:

  • Summary: A brief description of the company, normally copied from Wikipedia or their own website.
  • Related Websites: Links to these companies’ websites where information on Positive Security Approach is published and available for public use.
  • Related Resources: Documents, methodologies, presentations and all other resources directly related to the Positive Security approach which are available for the community.

Note: All links and supportive information was directly collected from the software companies' web sites without any change or adjustment. Please read it understanding that some marketing approach may be in use and apply your own critical view. :-)


01. Microsoft

Summary

Microsoft Corporation is an American multinational computer technology corporation, which rose to dominate the home computer operating system market with MS-DOS in the mid-1980s, followed by the Windows line of operating systems. It develops, manufactures, licenses, and supports a wide range of software products for computing devices. Microsoft CTO and Senior Vice President Craig Mundie authored a whitepaper in 2002, defining the framework of the company’s Trustworthy Computing program. Four areas were identified as the initiative’s key “pillars”. Microsoft has subsequently organized its efforts to align with these goals. These key activities are set forth as: Security, Privacy, Reliability and Business Integrity. (Ref.1) (Ref.2)


Related Websites

  • Microsoft Security Main Page: Provides links and general information about several information security related initiatives and strategies at Microsoft.
  • Microsoft Security Development Lifecycle (SDL): Main website for Microsoft's SDL, a company-wide initiative and a mandatory policy since 2004. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process.

Related Resources

02. IBM

Summary

Here is the text.

Public Resources

Related Websites


(03) Oracle

Summary

Here is the text.

Public Resources

Related Websites

(04) SAP

Summary

Here is the text.

Public Resources

Related Websites

(05) HP

Summary

Here is the text.

Public Resources

Related Websites

(06) Symantec

Summary

Here is the text.

Public Resources

Related Websites

(07) Computer Associates

Summary

Here is the text.

Public Resources

Related Websites

(08) Electronic Arts

Summary

Here is the text.

Public Resources

Related Websites

(09) Adobe

Summary

Here is the text.

Public Resources

Related Websites

(10) Nintendo

Summary

Here is the text.

Public Resources

Related Websites

(11) EMC

Summary

Here is the text.

Public Resources

Related Websites

(12) Autodesk

Summary

Here is the text.

Public Resources

Related Websites

(13) NCR

Summary

Here is the text.

Public Resources

Related Websites

(14) Activision

Summary

Here is the text.

Public Resources

Related Websites

(15) Cisco

Summary

Here is the text.

Public Resources

Related Websites

(16) SunGard

Summary

Here is the text.

Public Resources

Related Websites

(17) BMC

Summary

Here is the text.

Public Resources

Related Websites

(18) Intuit

Summary

Here is the text.

Public Resources

Related Websites

(19) Cadence

Summary

Here is the text.

Public Resources

Related Websites

(20) Dassault

Summary

Here is the text.

Public Resources

Related Websites

(21) THQ

Summary

Here is the text.

Public Resources

Related Websites

(22) Synopsys

Summary

Here is the text.

Public Resources

Related Websites

(23) Vivendi Universal Games

Summary

Here is the text.

Public Resources

Related Websites

(24) Take 2 Interactive

Summary

Here is the text.

Public Resources

Related Websites

(25) SAS Institute

Summary

Here is the text.

Public Resources

Related Websites

(26) Citrix

Summary

Here is the text.

Public Resources

Related Websites

(27) BEA

Summary

Here is the text.

Public Resources

Related Websites

(28) UGS

Summary

Here is the text.

Public Resources

Related Websites

(29)Cognos

Summary

Here is the text.

Public Resources

Related Websites

(30 Reynolds & Reynolds

Summary

Here is the text.

Public Resources

Related Websites

(31) Compuware

Summary

Here is the text.

Public Resources

Related Websites

(32) Trend Micro

Summary

Here is the text.

Public Resources

Related Websites

(33) Qualcomm

Summary

Here is the text.

Public Resources

Related Websites

(34) Apple

Summary

Here is the text.

Public Resources

Related Websites

(35) Novell

Summary

Here is the text.

Public Resources

Related Websites

(36) Sage

Summary

Here is the text.

Public Resources

Related Websites

(37) Misys

Summary

Here is the text.

Public Resources

Related Websites

(38) Infor

Summary

Here is the text.

Public Resources

Related Websites

(39) McAfee

Summary

Here is the text.

Public Resources

Related Websites

(40) Business Objects

Summary

Here is the text.

Public Resources

Related Websites

(41) Hyperion Solutions

Summary

Here is the text.

Public Resources

Related Websites

(42) Parametric Technology

Summary

Here is the text.

Public Resources

Related Websites

(43) Sybase

Summary

Here is the text.

Public Resources

Related Websites

(44) Fair Isaac

Summary

Here is the text.

Public Resources

Related Websites

(45) Checkpoint

Summary

Here is the text.

Public Resources

Related Websites

(46) Mentor Graphics

Summary

Here is the text.

Public Resources

Related Websites

(47) Software AG

Summary

Here is the text.

Public Resources

Related Websites

(48) Intergraph

Summary

Here is the text.

Public Resources

Related Websites

(49) Philips

Summary

Here is the text.

Public Resources

Related Websites

(50) Eclipsys

Summary

Here is the text.

Public Resources

Related Websites