OWASP Intra- Governmental Affairs David Campbell Denver Chapter Puneet Mehta Delhi Chapter
Overview OWASP is a globally recognized body for Web Application Security guidance and frameworks. OWASP materials are used worldwide by organizations and individuals to provide a reliable enterprise application security programs. The Open community model of OWASP has already grabbed the attention of thousands of security professionals worldwide who contribute to OWASP’s ongoing initiatives and this number is growing everyday. While the above is helping strengthen OWASP’s credibility, there is a greater need to position OWASP amongst Government of different countries. This is required to promote OWASP as a standard body for AppSec just like ISO / BS. Some of the compliance bodies such as PCI already mandate adhering to OWASP Top10 for PCI DSS compliance. This needs to extend to other regulatory bodies in different countries and requires close government interaction and representation by OWASP.
Objectives Identify top reasons and driving factors to work with Government of different countries Identify potential areas where OWASP and Government can work together Discuss Measurable benefits Identify possible ways on how to approach this initiative
Top reasons / Driving Factors Increasing regulatory compliance directives that mandate application security controls Lack of an official / recognized Application security standard that can be used to audit and assess the maturity level. Also there is a need for ASBOK (Application Security body of Knowledge). I understand OWASP Guide is there, but it needs to include regulatory part and mapping of application specific security controls. Lack of Certification & Accreditation criteria. National critical infrastructure protection boards are forming in various countries creating opportunities for bodies such as OWASP to provide guidance and advisory on AppSec issues. Participation in National research programs and policy frameworks Lack of formal Application Security programs in Academia (Universities, colleges etc.)
Top reasons / Driving Factors – Continued… To gain visibility amongst different Govt. agencies such as Ministry of IT & Communication, NIST, CERT, NIC (National Informatics Center), NTRO (National Technology Research Organization), RBI (Reserve Bank of India), Cyber Security & Defense Wing etc.. To leverage existing infrastructure base & financial grants to initiate new research projects Experience has shown that government security directives developed without proper integration of expert input yields unwieldy and ineffective controls (i.e. USA’s FISMA act of 2002)
Potential Areas to work together Help define policies and roadmap for strategic initiatives such as National Critical Infrastructure Protection Board, Homeland Security Initiatives etc. Help regulators / federal agencies define Application security controls for statutory compliance Mapping Application specific security controls of different Standards and regulations to OWASP Framework such as (NIST, PCI, ISO 27001, RBI, SOX / Clause 64 (India) etc..) Defining guidelines and Code of Practice document specific to different compliance requirements. Jointly work on new research projects Drive application security programs for Universities and other Academic and research institutions
Potential Areas to work together- Continued NIST/NSF RFI for “revolutionary ideas” for cybersecurity. Submissions due 15 Dec 08.
Measurable Benefits Potential opportunities to initiate new research projects with financial support from Govt. Gain wider reach, Increased visibility & representation at National level within different countries Increased participation from individuals, federal agencies and other bodies that are not participating currently Get positioned as a Standard Body for AppSec just like ISO/BS and also provide Accreditation and Certification function Contd….Add more
Possible ways to approach the initiative Institutionalize an OWASP Intra-Governmental Affairs Advisory Board (OIGAAB) which will work directly under the OWASP Foundation Board. This Board can have Task Forces designated for each country (Possibly Chapter leaders from respective countries can be identified to form these task forces) that will initiate interactions with Government bodies and work on identified areas to help achieve set objectives. Next slide depicts a sample structure:Next slide
Possible ways to approach the initiative- Continued OWASP Foundation Board Conferences OWASP Intra- Governmental Affairs Operations Committees and TF Committees And TF e.g.Research, Standards, Membership, Finance, OWASP Intra-Governmental Affairs Advisory Board, etc Committees and task forces – Country Specific Committees And TF Committees And TF Committees And TF OWASP Intra-Governmental Affairs Advisory Board (OIGAAB) – Sample Sturcture
Mission Statement- OIGAAB Mission : to ensure that OWASP’s dealings with governmental and regulatory agencies (where the impact on OWASP is potentially multinational) are coherent and consistent, making effective use of resources and global perspective for the benefit of members and constituents. Types of organizations: Governmental and regulatory agencies Economic international entities Professional bodies that regulate or influence regulators SampleGeographic task forces: Sample Europe (Could be sub divided further) Asia (India, China, Hong Kong, Taiwan etc..) Americas
OWASP Intra-Governmental Affairs Advisory Board- Typical Activities Collaborate with/advise standard-setting bodies Promote recognition of OWASP Projects & other materials Encourage adoption of OWASP frameworks (to be positioned as a standard) for improvement of Application Security Disseminate to OWASP’s constituents information from multinational agencies on professional issues Promote OWASP education and membership Promote awareness and recognition of OWASP’s knowledge base Contribute to research projects and disseminate research results Add more…..