[Owasp-topten] Maybe the top ten doesn't need (much) revising....
edtracy at gmail.com
Fri Oct 7 13:49:40 EDT 2005
On 10/7/05, Chuck <chuck.lists at gmail.com> wrote:
> Hi all,
> I know that we have been talking about revising the top ten for a
> while now on the mailing lists and in my local OWASP meeting (DC-MD),
> but I think I have changed my mind and the list may not need much
> revising, if any.
> One of my main concerns was that there was some overlap in the list
> (input validation vs injection and XSS), but I don't think that this
> is really a big issue. I also fell victim of trying to make the list
> as comprehensive as possible, which should not be its function. It is
> meant to be the "top ten" issues, not all issues in ten categories.
> Unfortunately , there is a bit of an issue because things like the
> PCI standard reference the top ten. So, I think we should create a
> new product that will be a comprehensive list that should be
> referenced by these standards. It could be a list of vulnerabilities
> or it could be a list of countermeasures.
> And rather than start from scratch, I would say we basically
> condense such a list from the excellent OWASP Guide. The guide
> basically says what to do to build a secure web application / web
> service, but it also includes the why you do it and how you do it.
> What I am thinking of is a relatively short document that just has the
> "what to do" (or "what not to do" if it is a list of vulnerabilities)
> and could be referenced instead of the Top Ten by things like the PCI
> standard. This new document would also reference the Guide for more
> information). This new document could also be referenced in
> development contracts, test plans, source code audit plans,
> penetration testing contracts, etc. There are a few names I could
> think of (I am trying to avoid the words "list" or "guide" to prevent
> confusion) and it depends also on how the list is worded, but here are
> some ideas:
> - OWASP Best Practices in Web Security
> - OWASP Standard Web Security Requirements
> - OWASP Comprehensive Web Vulnerabilities Enumeration
> The other good thing about creating this new list is that we can
> then make whatever changes we want to the Top Ten without worrying
> about covering all vulnerabilities or sending the message that
> something is no longer important if it falls off the list. I think
> the Top Ten is valuable in large part because it is specific and
> understandable. What do you all think?
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> Owasp-topten mailing list
> Owasp-topten at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten