An Open Letter (and Challenge) to the Application Security Consortium
Since its inception in late 2000 the Open Web Application Security Project
(OWASP) has provided free and open tools and documentation to educate people
about the increasing threat of insecure web applications and web services. As a
not-for-profit charitable foundation, one of our community responsibilities is
to ensure that fair and balanced information is available to companies and
consumers. Our work has become recommended reading by the Federal Trade
Commission, VISA, the Defense Information Systems Agency and many other
commercial and government entities.
The newly unveiled Application Security Consortium recently announced a "Web
Application Security Challenge" to other vendors at the Computer Security
Institute (CSI) show in Washington, D.C. This group of security product vendors
proposes to create a new minimum criteria and then rate their own products
against it.
The OWASP community is deeply concerned that this criteria will mislead
consumers and result in a false sense of security. In the interest of fairness,
we believe the Application Security Consortium should disclose what security
issues their products do not address.
As a group with a wide range of international members from leading financial
services organizations, pharmaceutical companies, manufacturing companies,
services providers, and technology vendors, we are constantly reminded about
the diverse range of vulnerabilities that are present in web applications and
web services. The very small selection of vulnerabilities you are proposing to
become a testing criteria are far from representative of what our members see
in the real world and therefore do not represent a fair or suitable test
criteria. In fact, it seems quite a coincidence that the issues you have chosen
seem to closely mirror the issues that your technology category is typically
able to detect, while ignoring very common vulnerabilities that cause serious
problems for companies.
Robert Graham, Chief Scientist at Internet Security Systems, recently commented
on application firewalls in an interview for CNET news. When asked the question
"How important do you think application firewalls will become in the future?"
his answer was "Not very."
"Let me give you an example of something that happened with me. Not long ago, I
ordered a plasma screen online, which was to be shipped by a local company in
Atlanta. And the company gave me a six-digit shipping number. Accidentally, I
typed in an incremental of my shipping number (on the online tracking Web
site). Now, a six-digit number is a small number, so of course I got someone
else's user account information. And the reason that happened was due to the
way they've set up their user IDs, by incrementing from a six-digit number. So
here's the irony: Their system may be so cryptographically secure that (the)
chances of an encrypted shipping number being cracked is lower than a meteor
hitting the earth and wiping out civilization. Still, I could get at the next
ID easily. There is no application firewall that can solve this problem. With
applications that people are running on the Web, no amount of additive things
can cure fundamental problems that are already there in the first place."
This story echoes some of the fundamental beliefs and wisdom shared by the
collective members of OWASP. Our experience shows that the problems we face
with insecure software cannot be fixed with technology alone. Building secure
software requires deep changes in our development culture, including people,
processes, and technology.
We challenge the members of the Application Security Consortium to accept a
fair evaluation of their products. OWASP will work with its members (your
customers) to create an open set of criteria that is representative of the web
application and web services issues found in the real world. OWASP will then
build a web application that contains each of these issues. The criteria and
web application will be submitted to an independent testing company to evaluate
your products. You can submit your products to be tested against the criteria
(without having prior access to the code) on the basis that the results are
able to be published freely and will unabridged.
We believe that this kind of marketing stunt is irresponsible and severely
distracts awareness from the real issues surrounding web application and web
services security. Corporations need to understand that they must build better
software and not seek an elusive silver bullet.
We urge the Consortium not to go forward with their criteria, but to take OWASP
up on our offer to produce a meaningful standard and test environment that are
open and free for all.
Contact: owasp@owasp.org
Website: www.owasp.org
