Code Auditor's Corner

OWASP has created an “OWASP for Charities” project. They set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. The following is the e-mail announcing the effort that was posted to the OWASP mailing list:

OWASP Members and Supporters,

OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. Among these initiatives are:

• OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522
• OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. In a time of crisis, OWASP can help those who are in great need. The OWASP community can help organize, support , and promote efforts outside of application security.

OWASP is well aware there is a movement for phishers to utilize this tragedy to get unsuspecting people to donate to a “cause” without having a legitimate business back end and ultimately funneling all the money directly into their own pockets. The OWASP community is uniquely qualified to help protect from this type of attack and educate about attacks as well.

As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and others. The OWASP community can help by connecting qualified, trusted resources willing to volunteer their time to those organizations which qualify. OWASP is setting up an outreach program, which will be under the name project name of OWASP for Charities.

We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.

Regards,

Your OWASP Board

Filed under: Application Security, Humanitarian Efforts by Alexander Fry
No Comments »

Here are descriptions for the seven domains of the CSSLP for my presentation at ISSA-NOVA on January 21, 2010:

Secure Software Concepts – the fundamental knowledge for understanding the security implications of software development, and the mechanisms to impose security constraints on the behavior, use, and content of a software system. This includes security design and information assurance principles, risk management, software architectures, legal issues, standards, acquisition methods, information security and software maturity models.

Secure Software Requirements – the overall software specification should include both functional and nonfunctional requirements. The nonfunctional requirements of secure software address issues such as how the software application will: remain dependable under hostile operating conditions; resist compromise by an attacker through the exploitation of vulnerabilities or insertion of malicious code; and be resilient enough to recover quickly, containing damage to itself, data, resources, and external components on which it relies.

Secure Software Design – fundamental activities that approach the definition of the software from a security perspective in order to decrease the likelihood that the design specification will contain flaws. These activities include identifying and minimizing the software’s attack surface, performing threat modeling, and following security design principles.

Secure Software Implementation/Coding – software developers should follow secure coding best practices and standards, understand and avoid common vulnerabilities, implement countermeasures, and use tools and techniques such as static analysis and code review to avoid introducing flaws that can lead to security vulnerabilities.

Secure Software Testing – activities for evaluating a software application in a runtime environment that most closely resembles its production environment. Many testing activities require the application to be functionally complete and follow standards and methodologies such as ISO 9126, the SSE-CMM, and the Open Source Security Testing Methodology Manual (OSSTMM). Security testing should assess the security properties and behaviors of the software application as it interacts with external entities and as its own components interact with each other. An analysis of test results forms the basis for assessing risk and means of remediation.

Software Acceptance – ensuring that the software is ready to be released. This involves pre-release or pre-deployment activities such as generating test data that shows that all prescribed tests have been executed and accepted; and post-release activities such as an independent review of the software conducted by a third-party or by an independent security team of the organization.

Software Deployment/Operations/Maintenance/Disposal – maintaining information assurance during installation, deployment, operation, maintenance, and disposal of secure software systems.

Filed under: Application Security, CSSLP by Alexander Fry
No Comments »