Re: An Open Letter (and Challenge) to the Application Security Consortium

[Jeremiah Grossman <jeremiah () whitehatsec com>]

Some people may have been under the impression that this letter was  
directed towards the "Web Application Security Consortium" (WASC)  
http://www.webappsec.org.  To clarify, I believe this letter was meant  
for ANOTHER group including F5, Imperva, NetContinuum, and Teros.  
Specifically a challenge they sent to Check Point, Cisco, Juniper,  
McAfee and Symantec. Many industry acronyms are very close.

Reference the following URL's for background.

The press release found here:
https://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=42

further industry coverage here:
http://news.com.com/Group+aims+to+create+hallmark+of+security/2100- 
1029_3-5443154.html

and here:
http://biz.yahoo.com/prnews/041109/sftu090_1.html


Regards,

Jeremiah Grossman



On Monday, November 15, 2004, at 07:34  PM, The OWASP Project wrote:

> An Open Letter (and Challenge) to the Application Security Consortium
>
> Since its inception in late 2000 the Open Web Application Security  
> Project (OWASP) has provided free and open tools and documentation to  
> educate people about the increasing threat of insecure web  
> applications and web services. As a not-for-profit charitable  
> foundation, one of our community responsibilities is to ensure that  
> fair and balanced information is available to companies and consumers.  
> Our work has become recommended reading by the Federal Trade  
> Commission, VISA, the Defense Information Systems Agency and many  
> other commercial and government entities.
>
> The newly unveiled Application Security Consortium recently announced  
> a "Web Application Security Challenge" to other vendors at the  
> Computer Security Institute (CSI) show in Washington, D.C. This group  
> of security product vendors proposes to create a new minimum criteria  
> and then rate their own products against it.
>
> The OWASP community is deeply concerned that this criteria will  
> mislead consumers and result in a false sense of security. In the  
> interest of fairness, we believe the Application Security Consortium  
> should disclose what security issues their products do not address.
>
> As a group with a wide range of international members from leading  
> financial services organizations, pharmaceutical companies,  
> manufacturing companies, services providers, and technology vendors,  
> we are constantly reminded about the diverse range of vulnerabilities  
> that are present in web applications and web services. The very small  
> selection of vulnerabilities you are proposing to become a testing  
> criteria are far from representative of what our members see in the  
> real world and therefore do not represent a fair or suitable test  
> criteria. In fact, it seems quite a coincidence that the issues you  
> have chosen seem to closely mirror the issues that your technology  
> category is typically able to detect, while ignoring very common  
> vulnerabilities that cause serious problems for companies.
>
> Robert Graham, Chief Scientist at Internet Security Systems, recently  
> commented on application firewalls in an interview for CNET news. When  
> asked the question "How important do you think application firewalls  
> will become in the future?" his answer was "Not very."
>
>
> "Let me give you an example of something that happened with me. Not  
> long ago, I ordered a plasma screen online, which was to be shipped by  
> a local company in Atlanta. And the company gave me a six-digit  
> shipping number. Accidentally, I typed in an incremental of my  
> shipping number (on the online tracking Web site). Now, a six-digit  
> number is a small number, so of course I got someone else's user  
> account information. And the reason that happened was due to the way  
> they've set up their user IDs, by incrementing from a six-digit  
> number. So here's the irony: Their system may be so cryptographically  
> secure that (the) chances of an encrypted shipping number being  
> cracked is lower than a meteor hitting the earth and wiping out  
> civilization. Still, I could get at the next ID easily. There is no  
> application firewall that can solve this problem. With applications  
> that people are running on the Web, no amount of additive things can  
> cure fundamental problems that are already there in the first place."
>
> This story echoes some of the fundamental beliefs and wisdom shared by  
> the collective members of OWASP. Our experience shows that the  
> problems we face with insecure software cannot be fixed with  
> technology alone. Building secure software requires deep changes in  
> our development culture, including people, processes, and technology.
>
> We challenge the members of the Application Security Consortium to  
> accept a fair evaluation of their products. OWASP will work with its  
> members (your customers) to create an open set of criteria that is  
> representative of the web application and web services issues found in  
> the real world. OWASP will then build a web application that contains  
> each of these issues. The criteria and web application will be  
> submitted to an independent testing company to evaluate your products.  
> You can submit your products to be tested against the criteria  
> (without having prior access to the code) on the basis that the  
> results are able to be published freely and will unabridged.
>
> We believe that this kind of marketing stunt is irresponsible and  
> severely distracts awareness from the real issues surrounding web  
> application and web services security. Corporations need to understand  
> that they must build better software and not seek an elusive silver  
> bullet.
>
> We urge the Consortium not to go forward with their criteria, but to  
> take OWASP up on our offer to produce a meaningful standard and test  
> environment that are open and free for all.
>
> Contact: owasp () owasp org
> Website: www.owasp.org