In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects.
It is “Security by Design” to match the privacy world’s Privacy by Design, but it offers specifics. When you click on “Unvalidated Redirects and Forwards,” it describes exactly what the threat is; how it could be used to harm your organization and your customers, and what steps you should take to guard against this threat.
There are details. And the project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool.
Sound like something privacy pros could use?
Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.
“The aim,” said Stahl, who works as an information security consultant for MSG Systems, in Munich, Germany, “is to build a top 10 list of risks—not only technical risks but organizational risks, like lack of transparency and concepts like that. And in the end, it should help people with developing web applications, or a social network, whatever they’re building. What things are important?”
Much of the focus will be technical—the “how” of privacy in web application development—but “we’re not solely looking for technical people,” he said. “It helps if they have both a law and technical background, but it’s also about policy, organizational risk, open communication and all of those things.”
Ultimately, though, “in the private sector, there’s a lack of technical guidelines in how to implement privacy into products, and that will be the value of the OWASP project, that we get some more practical guidance.”
Currently, Stahl is working with Stefan Burgmair, a Master’s student at Munich’s University of Applied Sciences, and they’re very much in the recruiting stage. First up is the development of a questionnaire, which should be available in “one or two months,” and just the general sketching out of the best way to develop the initial Top 10 list.
“If the contribution is only telling your friends,” Stahl emphasized, “that’s a good contribution, too.”
If you’d like to get involved, contact Stahl directly. He hopes to have an initial product at some point this summer and to present the findings at an IAPP conference later this year.
Lend him a hand, eh?
If you want to comment on this post, you need to login.