informa
/
Analytics
News

OWASP Preps Framework for Website Security Certification

But critics say getting all the necessary players on board may be too tall an order

What if legitimate Websites went through a standard security vetting process?

The Open Web Application Security Project (OWASP) is working on a potential framework for evaluating and certifying Websites as secure, including the criteria that would entail. The project is still in progress and not quite ready for prime time, but the goal is to provide a framework for certifying the security of a site's apps, which entails much more than just the usual vulnerability scan.

"A black box scan doesn't mean a site is secure," says Dinis Cruz, OWASP's technology evangelist and project coordinator for the so-called Web Security Application Certification Framework Project.

Several commercial certifications already exist, including ScanAlert's Hacker Safe, and ControlScan, which indicate that a site has been vulnerability-scanned. And the Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, helps verify that a site is legitimate. (See Are 'Sealed' Websites Any Safer?)

But security experts say today's Good Housekeeping-style seal-of-approvals aren't enough. "The fact is that in this day and age, the VeriSign logo and the lock icon in your browser just don't cut it," says Caleb Sima, CTO of SPI Dynamics.

"I would love to see consumers push for... and have the ability to have a Web application certified for proper security testing, including application testing that can show people that it at least has gone through the basics before I put my confidential data in," Sima says. "But the reality is it will be very difficult to pull off."

The success of a standard certification framework and criteria would require the buy-in and participation of Web app security experts, Website developers, retail sites, enterprises, and even the credit card companies, which currently are focused on getting retailers to implement the PCI Data Security Standard (PCI DSS). And adopting a new standard would cost money. (See Retailer PCI Rebellion: 'No More Storing Credit Card Numbers'.)

But Web app security experts agree that something's gotta give.

Cruz says this doesn't mean OWASP will go into the certification business. "We don't want OWASP to become a certification body. That's against what we're all about. We're trying to address... that something is being done properly" to secure Web apps, he says.

The problem is that any Website app that hasn't undergone a security review or vulnerability assessment is sure to have critical bugs, says Cruz, who is the director of advanced technologies for Ounce Labs. "In every single Web application I have tested that has not gone through that, I can find an example of each of the Top 10 Web vulnerabilities.

"If an application is secure, it's because it's [already] been attacked. Security doesn't happen by accident," he says.

Cruz says he'd prefer sponsoring regular hacking contests for Web app security. It's unclear just how, and if, OWASP will offer such a model with this project.

The OWASP project is the baby of Mark Curphey, who recently joined Microsoft as the head of the ACE Services group in Europe. "Web site owners need a widely published and consensus driven set of criteria to design, develop, deploy and maintain secure web sites," writes Curphey on the OWASP Website. "This criteria and claims of compliance with it need to be able to be provided to a wide range of stakeholders including customers, regulators and business partners."

"This work is intended to be openly published for a reasonable period of time for public discussion, debate and feedback. After this period the OWASP Board will work with interested parties to determine any appropriate next steps. These may include adoption or integration into existing standards or the creation of something new," he writes.

OWASP's Cruz -- who says the OWASP project should jell in the next couple of weeks once Curphey completes the first version for review -- says the trouble today is that Websites mostly only have to ensure the appearance of security. "You only have to make sure things look secure, not that they are" secure, he says. "That's the mess we are in today."

Says SPI's Sima: "Good luck to OWASP -- I hope they can make the Internet more secure for us all."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • SPI Dynamics
  • Ounce Labs
  • Microsoft Corp. (Nasdaq: MSFT)

  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5