Industry:e-Consumer Protection Consultation

Return to Global Industry Committee

Submission Response
Latest first

Final version
Grouped into single response, each with its own "About OWASP

'Promoting Business Compliance'

''BC1. Why do businesses not use guidance more often, and what can we do to encourage them to?''

Much guidance is not easy to find and often it has to be paid for. The OFT should promote access to high-quality free standards, guidance and procedures.

This official response has been submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee, following our own consultation process.

OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible", so that people and organizations can make informed decisions about application security risks. OWASP has three active chapters in the UK:


 * Leeds/North http://www.owasp.org/index.php/Leeds_UK
 * London http://www.owasp.org/index.php/London
 * Scotland http://www.owasp.org/index.php/Scotland

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Further information:


 * The Open Web Application Security Project http://www.owasp.org/
 * About The Open Web Application Security Project http://www.owasp.org/index.php/About_OWASP
 * OWASP Global Industry Committee http://www.owasp.org/index.php/Global_Industry_Committee
 * Legislation, standards, guidelines, etc referencing OWASP http://www.owasp.org/index.php/Industry:Citations

''BC2. How can we make guidance on existing and future consumer protection regulation more accessible and user friendly (for example, are there exemplars we could follow and is there a specific location where guidance should be held such as Directgov, the OFT website, etc)?''

OWASP produces a range of comprehensive, expert-reviewed, standards, guidance documents, code libraries and tools for organisations designing, developing and operating websites and web applications. Some key ones are:


 * Top Ten - The Ten Most Critical Web Application Security Risks http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 * Development Guide http://www.owasp.org/index.php/OWASP_Guide_Project
 * Code Review Guide http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents
 * Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Project
 * Application Security Verification Standard http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
 * Software Assurance Maturity Model http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

All the output is available free-of-charge to anyone without registration, and printed copies can be bought at cost. The materials are so well regarded, they are referenced by many other national and international standards such as PCI DSS:


 * Legislation, standards, guidelines, etc referencing OWASP http://www.owasp.org/index.php/Industry:Citations

Much of the documentation is aimed at development and verification staff, but SAMM is much more aligned with the governance of such matters, and the Top Ten specifically discusses issues for website owners.

This official response has been submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee, following our own consultation process.

OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible", so that people and organizations can make informed decisions about application security risks. OWASP has three active chapters in the UK:


 * Leeds/North http://www.owasp.org/index.php/Leeds_UK
 * London http://www.owasp.org/index.php/London
 * Scotland http://www.owasp.org/index.php/Scotland

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Further information:


 * The Open Web Application Security Project http://www.owasp.org/
 * About The Open Web Application Security Project http://www.owasp.org/index.php/About_OWASP
 * OWASP Global Industry Committee http://www.owasp.org/index.php/Global_Industry_Committee
 * Legislation, standards, guidelines, etc referencing OWASP http://www.owasp.org/index.php/Industry:Citations

Introduction
This official response has been submitted on behalf of the Open Web Application Security Project (OWASP) by the OWASP Global Industry Committee, following our own consultation process.

Response
'Promoting Business Compliance'

''BC1. Why do businesses not use guidance more often, and what can we do to encourage them to?''

Much guidance is not easy to find and often it has to be paid for. The OFT should promote access to high-quality free standards, guidance and procedures.

''BC2. How can we make guidance on existing and future consumer protection regulation more accessible and user friendly (for example, are there exemplars we could follow and is there a specific location where guidance should be held such as Directgov, the OFT website, etc)?''

OWASP produces a range of comprehensive, expert-reviewed, standards, guidance documents, code libraries and tools for organisations designing, developing and operating websites and web applications. Some key ones are:


 * Top Ten - The Ten Most Critical Web Application Security Risks http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 * Development Guide http://www.owasp.org/index.php/OWASP_Guide_Project
 * Code Review Guide http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents
 * Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Project
 * Application Security Verification Standard http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
 * Software Assurance Maturity Model http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

All the output is available free-of-charge to anyone without registration, and printed copies can be bought at cost. The materials are so well regarded, they are referenced by many other national and international standards such as PCI DSS:


 * Legislation, standards, guidelines, etc referencing OWASP http://www.owasp.org/index.php/Industry:Citations

Much of the documentation is aimed at development and verification staff, but SAMM is much more aligned with the governance of such matters, and the Top Ten specifically discusses issues for website owners.

About OWASP
OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible", so that people and organizations can make informed decisions about application security risks. OWASP has three active chapters in the UK:


 * Leeds/North http://www.owasp.org/index.php/Leeds_UK
 * London http://www.owasp.org/index.php/London
 * Scotland http://www.owasp.org/index.php/Scotland

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Further information:


 * The Open Web Application Security Project http://www.owasp.org/
 * About The Open Web Application Security Project http://www.owasp.org/index.php/About_OWASP
 * OWASP Global Industry Committee http://www.owasp.org/index.php/Global_Industry_Committee
 * Legislation, standards, guidelines, etc referencing OWASP http://www.owasp.org/index.php/Industry:Citations

Return to Global Industry Committee