Industry:Personal Information Online Code of Practice

Return to Global Industry Committee

Result
ICO summary of responses at http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/personal_information_online_cop_consultation_summary.pdf

OWASP listed as written responder in above document.

Final document expected July 2010, with separate guidance on security to follow.

Question 3 (Are there any other specific issues relating to online security that you think it would be helpful for us to cover in the code?)
We recommend adding the following points:


 * Ensure that a Secure Development Life Cycle (SDLC) is in place.
 * During the analysis phase of the project, perform a threat analysis (or similar) to help determine the security requirements that must be met. The security requirements should cover the following types of issue:
 * Security architecture
 * Authentication
 * Session management
 * Access control
 * Input validation
 * Output encoding/escaping
 * Cryptography
 * Error handling and logging
 * Data protection
 * Communication security
 * HTTP security
 * Security configuration
 * Malicious code search
 * Secure coding practices should be in place during the development phase. These should reflect common risks such as those described in the OWASP Top Ten.
 * The testing phase should include an element of application security testing.
 * During the deployment phase the emphasis should be on security hardening of the application, database and infrastructure.

Question 7 (Are there any other international issues you would like to see covered?)
The two sections boxed out with bullet point apply equally to design agencies, website developers, web programmers, contractors, hosting companies and other suppliers located in the UK - not just internationally.

We recommend adding the following points:


 * have a risk-based application security programme built into all stages of software (e.g. website) development practices
 * ensure all websites and related systems are developed securely to protect against security risks
 * build information security and privacy requirements into all contracts and agreements

Question 16 (Is there any other relevant guidance that we should refer to?)
We recommend referencing the following OWASP documents relating to the development of secure websites and web services (web applications). These are all available free of charge on OWASP's wiki and as PDFs, or at cost from an online printer. OWASP does not endorse commercial products or services.


 * Software Assurance Maturity Model (SAMM)
 * An open framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
 * http://www.opensamm.org/


 * Top Ten, OWASP
 * The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
 * http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


 * Guide to Building Secure Web Applications, OWASP
 * The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.
 * http://www.owasp.org/index.php/Category:OWASP_Guide_Project


 * Code Review Guide, OWASP
 * Guidance on identifying security flaws in web application source code.
 * http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project


 * Testing Guide, OWASP
 * Web application security penetration testing guide describing techniques for testing the most common web application and web service security issues.
 * http://www.owasp.org/index.php/Category:OWASP_Testing_Project


 * Application Security Verification Standard (ASVS), OWASP
 * Structured security verification framework for web applications.
 * http://www.owasp.org/index.php/ASVS

Question 17 (Are there any further comments you wish to make?)
Response to the ICO on behalf of OWASP --


 * The following text does not form part of OWASP's submission, but explains our background and therefore the context of our input.

This is an official response on behalf of the Open Web Application Security Project (OWASP)[1] prepared by UK members of OWASP's Global Industry Committee[2] in consultation with participants in the Leeds[3], London[4] and Scotland[5] chapters.

OWASP is pleased the ICO is providing guidance in this manner to UK organisations.

About OWASP ---

OWASP is a global open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP builds documents, tools, teaching environments, guidelines, checklists, and other materials to help organisations improve their capability to produce secure code. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

OWASP was formed in 2001, in an entirely organic fashion, when a group of security professionals came to realise how terribly insecure the way we develop our web applications was. The initial goal was deemed to be modest: write a guide for developers, which would document secure software development practices. While the initial effort was meant to last a few weeks, it came out to several hundred pages. When released, the OWASP Guide to Building Secure Web Applications was an instant success.

OWASP is a place where good people gather to help increase the awareness of the web application security problems in applications. It is a grass-roots effort, with the driving force being the people who are dealing with these problems every day, and wanting to lend a hand to change the situation for the better. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success and has over 130 local chapters around the world including three in the UK.

OWASP's projects are widely referenced[6] by national & international legislation, standards, guidelines, committees and industry codes of practice. For example, the OWASP Guide to Building Secure Web Applications[7] and OWASP Top Ten[8] are referred to in the Payment Card Industry Data Security Standard (PCI DSS)[9]. OWASP was shortlisted last year for the best security initiative award in Nominet's Best Practice Challenge[10].

OWASP has previously provided responses to DPC BS 8878:2009 on Web Accessibility, the Digital Britain Interim Report, DPC BS 10012, and many draft international standards and guides[11] relating to web application security.

References --


 * 1. Open Web Application Security Project (OWASP)
 * http://www.owasp.org


 * 2. OWASP Global Industry Committee
 * http://www.owasp.org/index.php/Global_Industry_Committee


 * 3. OWASP Leeds Chapter
 * http://www.owasp.org/index.php/Leeds_UK


 * 4. OWASP London Chapter
 * http://www.owasp.org/index.php/London


 * 5. OWASP Scotland Chapter
 * http://www.owasp.org/index.php/Scotland


 * 6. OWASP Citations
 * http://www.owasp.org/index.php/Industry:Citations


 * 7. Guide to Building Secure Web Applications, OWASP
 * http://www.owasp.org/index.php/Category:OWASP_Guide_Project


 * 8. Top Ten Project, OWASP
 * http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


 * 9. Payment Card Industry Data Security Standard (PCI DSS) v1.2
 * https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


 * 10. Best Practice Challenge 2009 Winners Brochure
 * http://www.nominet.org.uk/digitalAssets/40377_BestPracticeChallenge_winners2009.pdf


 * 11. Completed work, Global Industry Committee, OWASP
 * http://www.owasp.org/index.php/Global_Industry_Committee#Completed_Items

Return to Global Industry Committee