Proposal OWASP Statement on the Security of the Internet and Pervasive Monitoring

The Internet community and OWASP care deeply about how much we can trust commonly used Internet services and the applications that provide and use these services. Studying the reports about large-scale monitoring of Internet traffic and users disturbs us greatly. We knew about the interception of targeted individuals and other monitoring activities. However, the scale of recently reported monitoring and potential undermining of the security of deployed applications is surprising.

Of course, it is hard to know for sure from current reports what attack techniques may be in use. As such, it is not so easy to comment on the specifics from an OWASP perspective. Still, OWASP has long standing general principles that we can talk about, and also address some of the actions we are taking.

• We strongly believe trustworthy secure software and applications are an important cornerstone for human society and interactions of all people around the world.
• We strongly believe that people, companies and governments must protect software security and must not intentionally weaken software security, security standards, or undermine the security of cryptographic algorithms.
• We strongly believe that people, companies and governments must not intentionally introduce defects or vulnerabilities (or secret back-doors) compromising the security, trust and integrity of software and applications.

We like to point out, that if vulnerabilities are introduced by people, governments or corporations to enable monitoring, that this will not only have adverse effects on freedom and trust within human society, but sooner or later these vulnerabilities and weaknesses will also be found and exploited by malicious actors and criminals. Furthermore, the general population and companies will then be left without protection against these actors, undermining the very foundations of many software applications that support our daily lives, and with potentially world-wide catastrophic consequences.

The OWASP community wants to help build secure and deployable systems for all Internet users. Addressing security and new vulnerabilities has been the key strength of the OWASP community for more than a decade. Technology alone is not the only factor. Operational practices, laws, and other similar factors also matter. Existing OWASP security recommendations and tools, if used more widely, can definitely help. However, technical issues outside the users' or companies' control, for example endpoint security, or the properties of specific products or implementations, also affect the end result in major ways. So at the end of the day, no amount of security helps you if you can not trust the party you are communicating with or the devices you are using. Nonetheless, we’re confident the OWASP community can do its part. We continue our mission to improve security in the Internet and do more to make applications more secure and offer better protection. The recent revelations provide additional motivation for doing this, as well as highlight the need to consider new threat models.

We should seize this opportunity to take a look at what we can do better. Over the coming months the OWASP community experts around the world are exploring possible options to improve the protection and security of applications for the benefit of users, companies and governments alike. We are confident that discussions on this topic will motivate our open community to do even more work on these and further related topics.

Don’t think about all this just in light of the recent revelations. The security and privacy of the Internet in general is still a major challenge even ignoring pervasive monitoring and related activities. Learnings can be drawn from the above that will be generally useful in many ways for years to come. Perhaps this year’s discussions is a way to motivate the world to move from “by default insecure” to “by default secure”. Publicity and motivation are important, too. There is plenty to do for all of us, from users enabling additional security features to companies and governments ensuring that their products, services and applications are secure. OWASP is an open community and we invite those interested in working on this topic to contribute to the analysis and develop ideas in this area together.