[Owasp-topten] Maybe the top ten doesn't need (much) revising....
Steven M. Christey
coley at linus.mitre.org
Tue Oct 11 16:19:46 EDT 2005
On Mon, 10 Oct 2005, Ludwig, Andre wrote:
> I must raise the point that we may not want to be associated with the
> continued cheerleading of buzzwords. I feel that it would be in the
> best interests of everybody involved if we could tie those buzzwords to
> the actual root causes of the vulnerabilities (Bo's = input validation,
> XSS = Input validation, etc). While we should mention buzzwords (for
> the PHB's) I think we should attempt to educate those who don't
> understand the root cause of the issues they face.
I like this suggestion. Both are needed because as things such as SQL,
LDAP, CRLF, etc. injection show, just saying "validate your input" is not
sufficient advice in and of itself - but a developer who does this is more
likely to be aware of, and protected against, other unknown but specific
bugs.
- Steve
More information about the Owasp-topten
mailing list