Re: An Open Letter (and Challenge) to the Application Security Consortium

[<ban.marketing.bs () hushmail com>]

Fair call but isn't it also about time someone called BS on your 
members for the shiny red button marketing of app scanners?

Point them at WebGoat, WebMaven, Hacme Bank and they all fail 
miserably. (Note they all pass their in-house written canned test 
apps though). I want to see some real test results for these 
things. My results show less that 1 in 10 issues in the real world. 
Thats horrible. 

I say good for OWASP for sticking up for the masses and calling BS 
where they see it. Please make sure you cover app scanners as well!


Some people may have been under the impression that this letter was 
 
directed towards the "Web Application Security Consortium" (WASC)  
http://www.webappsec.org.  To clarify, I believe this letter was 
meant  
for ANOTHER group including F5, Imperva, NetContinuum, and Teros.  
Specifically a challenge they sent to Check Point, Cisco, Juniper,  

McAfee and Symantec. Many industry acronyms are very close.

Reference the following URL's for background.

The press release found here:
https://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=42

further industry coverage here:
http://news.com.com/Group+aims+to+create+hallmark+of+security/2100- 

1029_3-5443154.html

and here:
http://biz.yahoo.com/prnews/041109/sftu090_1.html


Regards,

Jeremiah Grossman



On Monday, November 15, 2004, at 07:34  PM, The OWASP Project 
wrote:

> An Open Letter (and Challenge) to the Application Security 
Consortium
> Since its inception in late 2000 the Open Web Application 
Security  
> Project (OWASP) has provided free and open tools and 
documentation to 

> educate people about the increasing threat of insecure web  
> applications and web services. As a not-for-profit charitable  
> foundation, one of our community responsibilities is to ensure 
that  
> fair and balanced information is available to companies and 
consumers. 

> Our work has become recommended reading by the Federal Trade  
> Commission, VISA, the Defense Information Systems Agency and many 
 
> other commercial and government entities.
>
> The newly unveiled Application Security Consortium recently 
announced 

> a "Web Application Security Challenge" to other vendors at the  
> Computer Security Institute (CSI) show in Washington, D.C. This 
group 

> of security product vendors proposes to create a new minimum 
criteria 

> and then rate their own products against it.
>
> The OWASP community is deeply concerned that this criteria will  
> mislead consumers and result in a false sense of security. In the 
 
> interest of fairness, we believe the Application Security 
Consortium  
> should disclose what security issues their products do not 
address.
> As a group with a wide range of international members from 
leading  
> financial services organizations, pharmaceutical companies,  
> manufacturing companies, services providers, and technology 
vendors,  
> we are constantly reminded about the diverse range of 
vulnerabilities 

> that are present in web applications and web services. The very 
small 

> selection of vulnerabilities you are proposing to become a 
testing  
> criteria are far from representative of what our members see in 
the  
> real world and therefore do not represent a fair or suitable test 
 
> criteria. In fact, it seems quite a coincidence that the issues 
you  
> have chosen seem to closely mirror the issues that your 
technology  
> category is typically able to detect, while ignoring very common  

> vulnerabilities that cause serious problems for companies.
>
> Robert Graham, Chief Scientist at Internet Security Systems, 
recently 

> commented on application firewalls in an interview for CNET news. 
When 

> asked the question "How important do you think application 
firewalls  
> will become in the future?" his answer was "Not very."
>
>
> "Let me give you an example of something that happened with me. 
Not  
> long ago, I ordered a plasma screen online, which was to be 
shipped by 

> a local company in Atlanta. And the company gave me a six-digit  
> shipping number. Accidentally, I typed in an incremental of my  
> shipping number (on the online tracking Web site). Now, a six-
digit  
> number is a small number, so of course I got someone else's user  

> account information. And the reason that happened was due to the 
way  
> they've set up their user IDs, by incrementing from a six-digit  
> number. So here's the irony: Their system may be so 
cryptographically 

> secure that (the) chances of an encrypted shipping number being  
> cracked is lower than a meteor hitting the earth and wiping out  
> civilization. Still, I could get at the next ID easily. There is 
no  
> application firewall that can solve this problem. With 
applications  
> that people are running on the Web, no amount of additive things 
can  
> cure fundamental problems that are already there in the first 
place."
> This story echoes some of the fundamental beliefs and wisdom 
shared by 

> the collective members of OWASP. Our experience shows that the  
> problems we face with insecure software cannot be fixed with  
> technology alone. Building secure software requires deep changes 
in  
> our development culture, including people, processes, and 
technology.
> We challenge the members of the Application Security Consortium 
to  
> accept a fair evaluation of their products. OWASP will work with 
its  
> members (your customers) to create an open set of criteria that 
is  
> representative of the web application and web services issues 
found in 

> the real world. OWASP will then build a web application that 
contains 

> each of these issues. The criteria and web application will be  
> submitted to an independent testing company to evaluate your 
products. 

> You can submit your products to be tested against the criteria  
> (without having prior access to the code) on the basis that the  
> results are able to be published freely and will unabridged.
>
> We believe that this kind of marketing stunt is irresponsible and 
 
> severely distracts awareness from the real issues surrounding web 
 
> application and web services security. Corporations need to 
understand 

> that they must build better software and not seek an elusive 
silver  
> bullet.
>
> We urge the Consortium not to go forward with their criteria, but 
to  
> take OWASP up on our offer to produce a meaningful standard and 
test  
> environment that are open and free for all.
>
> Contact: owasp () owasp org
> Website: www.owasp.org




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427