This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Summit 2011 Working Sessions/Session073"
(→Micro survey: Anonymous answers added) |
|||
| Line 144: | Line 144: | ||
=== Micro survey === | === Micro survey === | ||
| − | + | CW created a micro survey on paper called ''A Few Questions'', to try to gather a few [10] views from other quarters in OWASP [2 participants from the working session, and 8 other leaders], as to the relevance of "personal data protection" within OWASP's mission. The questions (and anonymous answers) were: | |
'''Q1: Can OWASP contribute to PCI-DSS compliance initiatives?''' | '''Q1: Can OWASP contribute to PCI-DSS compliance initiatives?''' | ||
| − | A1: | + | A1: |
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes of course - we already have by reference to the Top 10. | ||
| + | |||
| + | Yes, we have done so, but to my knowledge we have allowed our relationship with PCI to languish. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Unsure, as I'm not fully used to PCI-DSS, but guess 'yes'. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Don't know. | ||
| + | |||
| + | Yes in terms of providing knowledge, training and resources to QSAs. We [OWASP] could also provide info focused on companies who are going to be assessed. | ||
| + | |||
| + | |||
| + | |||
'''Q2: Can OWASP contribute to fraud detection and prevention?''' | '''Q2: Can OWASP contribute to fraud detection and prevention?''' | ||
| − | A2: | + | A2: |
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes it would be included in our mission/purpose. | ||
| + | |||
| + | Yes, ***, *** and I were discussing some potential solutions to this. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes, it should at least 'list' possible threats. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Don't know. | ||
| + | |||
| + | AppSensor seems to be quite useful here. | ||
| + | |||
| + | |||
| + | |||
'''Q3: Are there application vulnerabilities that can contribute to successful fraud?''' | '''Q3: Are there application vulnerabilities that can contribute to successful fraud?''' | ||
| − | A3: | + | A3: |
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes of course. | ||
| + | |||
| + | At the risk of being glib, most successful exploitations of vulnerabilities lead to some sort of fraud. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Maybe. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | - | ||
| + | |||
| + | Injection flaws, possibly XSS if client credentials can be compromised, session weaknesses, SSL issues. | ||
| + | |||
| + | |||
'''Q4: Can OWASP contribute to the protection of personal data?''' | '''Q4: Can OWASP contribute to the protection of personal data?''' | ||
A4: (if 'no', skip Q5 and Q6 to end) | A4: (if 'no', skip Q5 and Q6 to end) | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Certainly. | ||
| + | |||
| + | Yes, anytime our efforts close a vulnerability, we contribute. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | No. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | If OWASP wants to start talking at that issue, yes. | ||
| + | |||
| + | |||
'''Q5: Are there application security vulnerabilities that can contribute to attacks against personal data?''' | '''Q5: Are there application security vulnerabilities that can contribute to attacks against personal data?''' | ||
A5: (if 'no', skip to end) | A5: (if 'no', skip to end) | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Certainly, yes! | ||
| + | |||
| + | Yes, I'm hard pressed to think of one that doesn't have the potential. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | - | ||
| + | |||
| + | Yes (for example inclusion of 3rd party code/scripts). | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | - | ||
| + | |||
| + | Injection, XSS, session flows, SSL issues. | ||
| + | |||
'''Q6: Are there vulnerabilities in the realms of personal data protection - consent, accuracy, fair use & retention (ie not just protection of data in use/at rest) - that OWASP can help with?''' | '''Q6: Are there vulnerabilities in the realms of personal data protection - consent, accuracy, fair use & retention (ie not just protection of data in use/at rest) - that OWASP can help with?''' | ||
| Line 170: | Line 281: | ||
A6: | A6: | ||
| − | '''End: | + | Yes, at least OWASP should in the future. |
| + | |||
| + | Possibly to a lesser degree - seems more like the legal realm than technical. | ||
| + | |||
| + | Certainly, but I'm not in a position to identify any that aren't already a focus of the organization [OWASP]. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | - | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | Yes. | ||
| + | |||
| + | I am not so sure - what is a vulnerability? If a poor audit trail or no audit trail is a vulnerability, then maybe. If lack of privacy policy is a vulnerability, then maybe. | ||
| + | |||
| + | - | ||
| + | |||
| + | Accuracy and use seem to be in the relam of privacy. If OWASP works in this area, we could rewach end users much more significantly. | ||
| + | |||
| + | |||
| + | |||
| + | '''End: Please supply any other comments here, or overleaf''' | ||
| + | |||
| + | - | ||
| + | |||
| + | - | ||
| + | |||
| + | - | ||
| + | |||
| + | [For] all questions, I answered yes, but it would need details how to achieve it. | ||
| + | |||
| + | - | ||
| + | |||
| + | - | ||
| + | |||
| + | - | ||
| + | |||
| + | - | ||
| + | |||
| + | I am working to enable ASVS as a government recommendation to verify the implementation of adequate protection of PII. | ||
| − | + | - | |
Revision as of 15:42, 21 February 2011
Thank you for attending! This page is for the session participants to add their ideas and comments.
Please also take a look at the draft FTC response http://www.owasp.org/index.php/Industry:FTC_Protecting_Consumer_Privacy#Draft_Text_version_2 - your input would be very welcome!
Thank you
colin.watson(at)owasp.org
Accomplishments
I was asked to provide the top 3 accomplishments from our session to the summit team. I have suggested:
1) A recognition that OWASP MUST (not should) be active in this space
2) Direct input into OWASP's response to the FTC staff report on consumer privacy
3) A consensus to try to document the drivers, issues, resources and relevant technical approaches
Ideas...
Some suggested headings, but please feel free to add more:
Government legislation & policies
Legislation:
- EU:
- EU Directives
- Germany
- Netherlands Wet bescherming persoonsgegevens (Wbp)
- UK
- Italy
- Spain
- France
- US:
Primary data protection authorities:
- US:
- FTC
- ???
- EU:
Issues
- Fair processing
- Acceptable use/specified purpose
- Avoid collecting excessive information
- Data accuracy
- Data retention period enforcement (& disposal)
- Protection of data
- Transfers (inter department, company, country)
- Tracking consent and withdrawal of consent
- Provision of consent
- Collection and storage of PII (personally identifiable information)
- User tracking
- User profiling
Privacy vulnerabilities
- Build up user profiles used e.g. for retargetted / behavioral advertising
- Identify users based on e.g. IP address, browser type and version, add-ons,... based on fingerprinting
Technical approaches
- Privacy vulnerability detection on server side
- Privacy vulnerability detection on client side
- Client side patterns implying privacy vulnerability e.g.
- 3rd party links (typically trackers)
- 3rd party cookies
- invisible images / web bugs
- behavioral tracking patterns
- Client side patterns implying privacy vulnerability e.g.
Tools, Add-ons, Projects to Detect & Protect Privacy
1. Ghostery plug-in Available for Firefox, Chrome, Safari, Internet Explorer Scans the page for scripts, pixels, and other elements and notifies the user of the companies whose code is present on the page. These page elements aren't otherwise visible to the user, and often not detailed in the page source code. Ghostery allows users to learn more about these companies and their practices, and block the page elements from loading if the user chooses.
Download: http://www.ghostery.com/download
Ghostery is owned by Evidon (formerly "Better Advertising": http://www.evidon.com/solutions/overview.php
"Selected by the Digital Advertising Alliance (DAA) to power its online behavioral advertising Self-Regulatory Program"
2. Mozilla Firefox 4 Beta: "Do Not Track" Option - Privacy Feature You can check a “Do Not Track” box in the “Advanced” screen of Firefox’s Options. When this option is selected, a header will be sent signaling to websites that you wish to opt-out of online behavioral tracking. You will not notice any difference in your browsing experience until sites and advertisers start responding to the header.
Note: Also available for Google Chrome: http://google-chrome-browser.com/tags/do-not-track
3. PrimeLife
Research project funded by the European Commission’s 7th Framework Programme Bringing sustainable privacy and identity management to future networks and services
Firefox extension Dashboard
This is a PrimeLife alpha release that helps you track what information is collected by the websites you visit, together with a means to set your preferences on a site by site basis.
The extension logs your http traffic to a local database on your computer, and provides a variety of queries for analyzing them. You can see whether the current website you are visiting uses third party content, invisible images and much more. You can set per site preferences, e.g. to block 3rd party cookies or content, to disable scripting and so forth. Note that some of these preferences only take effect when the page is reloaded or as you move to other pages within the same website. The extension adds an smiley icon to the browser's navigation toolbar. This changes to reflect a measure of the privacy friendliness of the current web page. Click on the face to view details for the current site. The first time you visit a less than perfect site, the Firefox notification bar appears and invites you to load the page this time, to always load the page or to view more options.
Download: http://www.primelife.eu/results/opensource/76-dashboard
Micro survey
CW created a micro survey on paper called A Few Questions, to try to gather a few [10] views from other quarters in OWASP [2 participants from the working session, and 8 other leaders], as to the relevance of "personal data protection" within OWASP's mission. The questions (and anonymous answers) were:
Q1: Can OWASP contribute to PCI-DSS compliance initiatives?
A1:
Yes.
Yes of course - we already have by reference to the Top 10.
Yes, we have done so, but to my knowledge we have allowed our relationship with PCI to languish.
Yes.
Unsure, as I'm not fully used to PCI-DSS, but guess 'yes'.
Yes.
Yes.
Yes.
Don't know.
Yes in terms of providing knowledge, training and resources to QSAs. We [OWASP] could also provide info focused on companies who are going to be assessed.
Q2: Can OWASP contribute to fraud detection and prevention?
A2:
Yes.
Yes it would be included in our mission/purpose.
Yes, ***, *** and I were discussing some potential solutions to this.
Yes.
Yes.
Yes, it should at least 'list' possible threats.
Yes.
Yes.
Don't know.
AppSensor seems to be quite useful here.
Q3: Are there application vulnerabilities that can contribute to successful fraud?
A3:
Yes.
Yes of course.
At the risk of being glib, most successful exploitations of vulnerabilities lead to some sort of fraud.
Yes.
Maybe.
Yes.
Yes.
Yes.
-
Injection flaws, possibly XSS if client credentials can be compromised, session weaknesses, SSL issues.
Q4: Can OWASP contribute to the protection of personal data?
A4: (if 'no', skip Q5 and Q6 to end)
Yes.
Certainly.
Yes, anytime our efforts close a vulnerability, we contribute.
Yes.
No.
Yes.
Yes.
Yes.
Yes.
If OWASP wants to start talking at that issue, yes.
Q5: Are there application security vulnerabilities that can contribute to attacks against personal data?
A5: (if 'no', skip to end)
Yes.
Certainly, yes!
Yes, I'm hard pressed to think of one that doesn't have the potential.
Yes.
-
Yes (for example inclusion of 3rd party code/scripts).
Yes.
Yes.
-
Injection, XSS, session flows, SSL issues.
Q6: Are there vulnerabilities in the realms of personal data protection - consent, accuracy, fair use & retention (ie not just protection of data in use/at rest) - that OWASP can help with?
A6:
Yes, at least OWASP should in the future.
Possibly to a lesser degree - seems more like the legal realm than technical.
Certainly, but I'm not in a position to identify any that aren't already a focus of the organization [OWASP].
Yes.
-
Yes.
Yes.
I am not so sure - what is a vulnerability? If a poor audit trail or no audit trail is a vulnerability, then maybe. If lack of privacy policy is a vulnerability, then maybe.
-
Accuracy and use seem to be in the relam of privacy. If OWASP works in this area, we could rewach end users much more significantly.
End: Please supply any other comments here, or overleaf
-
-
-
[For] all questions, I answered yes, but it would need details how to achieve it.
-
-
-
-
I am working to enable ASVS as a government recommendation to verify the implementation of adequate protection of PII.
-
