[Owasp-leaders] BITS Software Assurance Framework

Colin Watson colin.watson at owasp.org
Fri Feb 10 17:43:16 UTC 2012 

CWE/SANS Top 25 is September 2011:

http://cwe.mitre.org/top25/

The OWASP Top Ten doesn't suggest these are the only 10 risks you
should worry about, and the CWE/SANS doesn't suggest that either.

Colin

On 10 February 2012 15:02, Wong Onn Chee <ocwong at usa.net> wrote:
> Hi Antonio,
>
> Interesting viewpoint.
>
> However, if my memory did not fail me, OWASP Top 10 2010 is nearly 2
> years old while SANS Top 25 was last updated in June 2010
> (https://www.sans.org/top25-software-errors/).
>
> Hence, I doubt they are referring to the age of the Top 10 or 25 lists.
>
> I am more concerned that they are viewing our basis as obsolete and is
> of "an earlier generation of software security intelligence".
>
> Regards
> Onn Chee
>
> On 10/02/2012 20:20, AF wrote:
>> Just to make sure about the question: are we discussing about how they
>> formulated this in the framework (shape) or the fact that appsec
>> research material used for the two referenced documents might be 5-6
>> years old (content)?
>>
>> Antonio
>>
>> On 10.02.2012 13:15, Colin Watson wrote:
>>> Onn Chee
>>>
>>> I wondered if it meant organisations should be paying for some vendors
>>> services, but I hope that isn't the case. It did seem a strange thing
>>> to say in the framework.
>>>
>>> Colin
>>>
>>> On 10 February 2012 11:51, Wong Onn Chee <ocwong at usa.net> wrote:
>>>> Hi folks,
>>>>
>>>> Read this:
>>>>
>>>> "And on page 36 in the section relating to emerging threats in the
>>>> post-implementation phase controls, there is a comment relating to the OWASP
>>>> Top Ten and CWE/SANS Top 25 which seems out of kilter with the rest of the
>>>> framework's text. The document states these as being valuable sources of
>>>> information but "both represent an earlier generation of software security
>>>> intelligence"."
>>>>
>>>> (Source:
>>>> http://www.clerkendweller.com/2012/2/5/BITS-Software-Assurance-Framework)
>>>>
>>>> Actual text in BITS doc:
>>>>
>>>> "All of these controls today are based on either OWASP Top 10 or SANS Top 25
>>>> Application
>>>> Programming Errors. Both sources are valuable, but both represent an earlier
>>>> generation of
>>>> software security intelligence. They represent commonly exploited
>>>> vulnerabilities across the Web
>>>> landscape for all organizations and they have had a profound effect on
>>>> improving software security
>>>> programs over the past 5-6 years."
>>>>
>>>> (Source: www.bits.org/publications/security/BITSSoftwareAssurance0112.pdf)
>>>>
>>>> What are your views on this?
>>>>
>>>> I wonder how did BITS come up with this conclusion.
>>>>
>>>> --
>>>>
>>>> Best Regards
>>>> Onn Chee
>>>> Singapore Chapter Lead
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list