OWASP Foundation to help government, electronic voting, defence, and critical infrastructure ISVs and contractors to modernize, collaborate, and secure their software and secure their supply chain

image

Andrew van der Stock

Thursday, May 13, 2021

With the announcement today of the US Government’s Executive Order on “Improving the Nation’s Cybersecurity”, OWASP is working to establish vendor-neutral special interest groups to help organizations securely share information, rapidly adopt and adapt existing OWASP standards, projects, and tools such as the OWASP Application Security Verification Standard, the OWASP Mobile Testing Guide, OWASP Dependency Track to help secure the software supply chain, OWASP SAMM, and the OWASP Cheat Sheet Series. Adoption of OWASP standards and tooling can help government agencies, contractors and vendors rapidly comply with the EO today using OWASP’s trusted advice over the last 20 years, that already exists and is ready to go. There is more to be built, which is why we want to help industry, vendors, contractors, and agencies work together to improve the applicability of these standards to their particular use cases.

As this is just the start, we will be building out and seeking funding for a range of other initiatives to:

  • Working with affected organizations, assist them to rapidly adopt OWASP’s standards, such as as the ASVS to cover the immediate requirements of the Executive Order
  • Working with our project leaders and organizations, adapt our existing standards to meet the needs of government, defence, electronic voting, health, and critical infrastructure application security
  • Work with the OWASP Education and Training Committee to seek financial grants to rapidly deliver training syllabus, frameworks, and certifications to train and certify development teams who are building the USA’s (and often, the world’s) critical infrastructure, government, defence, and voting systems
  • Build out OWASP’s capacity to securely host communities of interest that may have signficant anti-trust concerns, such as competitors or vendors and buying organizations collaborating together with strong integrity controls and in a transparent fashion. Sharing information is a critical aspect of the Executive Order, and OWASP can provide a vendor neutral setting for many different organizations to communicate and collaborate.

OWASP’s mission is to improve the state of software security, and we are here to make this a reality. If you are affected by the Executive Order, and need a safe space to collaborate with like firms, vendors, and the industry more generally, OWASP will be rapidly adopting a robust anti-trust policy along with secure communication protocols to allow vendors, contractors, organizations, and developers to communicate securely, get trained, and eventually certified.

OWASP encourages other standards settings bodies, such as ISO, NIST, and industry standard bodies such as Cloud Security Alliance, and PCI to work together ensure that we have a common understanding of risks, developing the newly formed Common Requirements Enumeration (CRE) framework, with common verifications to help prevent developers from building the “lowest common denominator” or doing double or triple the work slapping bandaids all over their code to cover the same requirements from multiple standards.

OWASP is seeking financial grants to get the most needed missing elements rapidly built by the experts who have already put together a comprehensive set of standards and projects, and ensure that our standards are fit for every proposed purpose. In the early days, application security was driven by the fintech industry, and whilst a solid start, this doesn’t necessarily cover the requirements of voting machines, health systems, government regulations and more.

I’m really looking forward to OWASP making a huge impact, and seeing our reform process at work to get the state of application security in government contractors and agencies improved. For more information, please reach out to me or to our Director of Projects and Technology, Harold Blankenship. More soon!

Andrew van der Stock Executive Director OWASP Foundation