CSP Rating Framework

[JGillam]

I have been doing some research on CSP over the past year, including harvesting and analyzing policies across hundreds of thousands of websites (see https://github.com/JGillam/csp-lab). I came up with a ranking system, which I presented in the following deck (you can ignore the company branding, this is my own research):
CSP - Advanced Tactics.pdf
The tl/dr of this is that many CSP implementations appear to just be checkboxes that offer little-to-no additional security. Most people don't implement it well.

In comparison with tools like Google's CSP evaluator, I'm trying to develop a rating system that is a more comprehensive of the entire CSP specification, instead of just looking at how it prevents script execution. Then I would like to build a tool for performing this type of evaluation given a CSP, and provide feedback on how to improve a CSP in order to gain a better rating. This would effectively gamify CSP (i.e. make a score).

I'm proposing spinning up a sub-project here to discuss and decide on what that ranking system should actually be (i.e. it doesn't have to be the one I came up with - I would prefer to collaborate with other community members on this). Then I can build the tool for performing the scoring.

Thoughts?

[righettod]

Hello,

Thanks for the proposal and your message.

I can propose you to reference your presentation and your repository under this section once we have study them:

For the CSP tool by itself, we currently do not have the bandwidth to handle (dev + follow-up + maintain) another project into the OSHP ecosystem. However, I can propose to you to create a project into your GitHub account to materialize your idea and if the community find it interesting over the time, we can discuss for its integration based on our bandwidth at this time.

@riramar What is your point of view on this ?

[riramar]

I agree to add repo https://github.com/JGillam/csp-lab under the OSHP Technical Resources tab.
I'd also recommend to open a request for a new OWASP project following the process described here https://policy.owasp.org/operational/projects.html.
Like Amass, as a new project you could have our support when available and also invite other contributors to help you make the project grow. AFAIK OWASP doesn't have the sub-project concept so you wouldn't have all resources available to manage your project.
I liked your idea and if I got you right having something like https://www.ssllabs.com/ssltest/ but for CSP instead of TLS would be amazing for the community.

[JGillam]

Thanks for reviewing! I will look into building something out as a starting point and let you know.

[righettod]

Feel free to provide us the ref and we will reference it 😉