[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

David Campbell dcampbell at owasp.org
Fri Apr 16 10:16:25 EDT 2010


Guys,

I've been doing alot of PA-DSS work lately and the linkage to OWASP is  
very strong.

Nice work!

Dc


On Apr 16, 2010, at 2:10, Georg Heß <georg.hess at artofdefence.com>  
wrote:

> Christian,
>
> in principle and theory I agree with all you are saying.
>
> However, in real life I think we have to accept - at least I do - that
> having PCI DSS referencing directly to OWASP is one of the biggest
> successes of OWASP - in terms of visibility and credibility... and  
> still
> the best "showcase" of an interaction of OWASP with industry bodies.
>
> So, also from a "in principle" aspect, this relationship is far from
> being perfect we are working hard to get something like this  
> "copied" to
> other industry groups ... like Cloud Security Alliance ... or even  
> legal
> bodies...
>
> And that´s exactly my main reason why I believe we should focus our
> message to the "external" work on  "application layer ONLY"....
>
> Just my 2 cents...
>
> Georg
>
>
> -- 
> Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
> T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837
>
> art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
> --- 
> ---------------------------------------------------------------------
> Amtsgericht Regensburg HRB 9708
> Geschäftsführer:
> Dr. Georg Heß, Alexander Meisel
> --- 
> ---------------------------------------------------------------------
>
> Christian Heinrich wrote:
>> Georg,
>>
>> This T10 entry was included in the 2004 Release.
>>
>> I believe it should be referenced (I believe this is mentioned in  
>> ASVS
>> also but I have checked and hence could be wrong) but the point of
>> contention is if it is actually a business risk?
>>
>> I believe the answer to this question is yes considering the damage
>> caused by "continued access".
>>
>> The PCI SSC misquotes the T10 as the "OWASP Guide" in both their PCI
>> DSS and PA-DSS publications.  Also their instruction related to the
>> Cardholder Data Environment is flawed considered in the context of
>> Heartland.
>>
>> On Wed, Apr 14, 2010 at 10:36 PM, Georg Heß <georg.hess at artofdefence.co 
>> m> wrote:
>>> Dave
>>>
>>> I know that this feedback is very late .. but I am writing it  
>>> anyway...
>>>
>>> When I prepared my "What shall I say about the details of the new  
>>> OWASP
>>> Top 10.."  I realized that I am not very confident with the current
>>> version of the NEW OWASP Top 6 - Security Misconfiguration.
>>>
>>> The main reason is that it includes quite a bit of "network layer"
>>> topics, too.
>>>
>>> In general, I absolutely agree that this topic is important.
>>>
>>> However, I think we will have some challenges - that we want to  
>>> avoid -
>>> with other industries including the OWASP Top 10 - like PCI DSS -  
>>> under
>>> the assumption that they ONLY cover the web application layer.
>>>
>>> PCI DSS has - as you know - separate sections on network security  
>>> and
>>> patch management etc...
>>>
>>> Maybe, this is all "old stuff" for you already...
>>>
>>> I did not follow in detail the "release candidate feedback period"..
>>>
>>> In my opinion, it would be great to "restrict" this topic to the
>>> application layer...
>>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee


More information about the Global_industry_committee mailing list