The Open Web Application Security Project (OWASP) is working on a potential framework for evaluating and certifying Websites as secure, including the criteria that would entail. The project is still in progress and not quite ready for prime time, but the goal is to provide a framework for certifying the security of a site's apps, which entails much more than just the usual vulnerability scan.
"A black box scan doesn't mean a site is secure," says Dinis Cruz, OWASP's technology evangelist and project coordinator for the so-called Web Security Application Certification Framework Project.
Several commercial certifications already exist, including ScanAlert's Hacker Safe, and ControlScan, which indicate that a site has been vulnerability-scanned. And the Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, helps verify that a site is legitimate. (See Are 'Sealed' Websites Any Safer?).
But security experts say today's Good Housekeeping-style seal-of-approvals aren't enough. "The fact is that in this day and age, the VeriSign logo and the lock icon in your browser just don't cut it," says Caleb Sima, CTO of SPI Dynamics. >> More ..
Posts
No comments:
Post a Comment