[Owasp-topten] OWASP Top Ten Possible Changes (long)

[Chuck]

Hi all,

We discussed updating the Top Ten list at the OWASP-Washington meeting
last week and that has had me thinking about it.  I think that there
are a couple issues that could be addressed, so I decided to put them
down and see what others think.  This is a work in progress, so please
respond if you like it or think I am off base.

I know a lot of people are probably on their way to Vegas today so I
don't expect much discussion this week, but maybe next week.  I'll be
at DefCon, so maybe I'll see some of you out there.

For reference, here is the current Top Ten:
A1 Unvalidated Input
A2 Broken Access Control
A3 Broken Authentication and Session Management
A4 Cross Site Scripting (XSS) Flaws
A5 Buffer Overflows
A6 Injection Flaws
A7 Improper Error Handling
A8 Insecure Storage
A9 Denial of Service
A10 Insecure Configuration Management


Issue: A1 overlaps with A4, A5, and A6.
Possible Solution: I think we should either eliminate A4, A5, and A6
or eliminate A1.  I prefer to eliminate A4-A6 to make room for more
vulnerabilities.


Issue: A2 and A3 include a lot of different issues.