[Owasp-topten] Outsider's View of Top Ten

Ed Tracy edtracy at gmail.com
Fri Oct 14 10:35:23 EDT 2005 

ooh, can o worms!
 I hear your points, but I'd like to talk about something different. You're
talking about moving forward. But not everyone seems to be on board for
that. Not everyone thinks it's broken. You saw the other night, we had to
argue with Jeff to tell him we thought the top ten is creating problems.
 I have a more formal view on security than most people, and I'm not
statisfied with the top ten being misused because of it.
 So, right now I am going to sit around and cry about it. I don't think
anything we put together will be adopted (e.g. sold to visa) unless Jeff,
Dave, and a few other key players are involved.
 -ed
 On 10/13/05, Ludwig, Andre <ludwiga at fortrex.com> wrote:
>
>  Ed,
>
>  I think the root cause of this is the inability of OWASP to provide the
> community as a whole with the "products" that it needs and desires. I feel
> the adoption of the OWASP Top Ten by VISA for the PCI-DSS standard is a
> prime example of this. Simply stated, Visa didn't have much of a choice. The
> T10 is the closet thing to an audit list for application security that is
> out there today. We should see this misuse not as a negative force but as a
> positive motivating force that only reinforces what we have been preaching
> all along. "The need for application security awareness"
>
>
 If there wasn't such a need for an organization as OWASP, Visa would have
> created a custom "check list for application security" and not adopted
> OWASP's T10. We should see this misuse for what it is: a market that is
> STARVING for products. Products such as the Top Ten and the Web App guide
> ARE sorely needed, awareness for application level security is needed, all
> of this stuff is needed; we just need to figure out what products fit the
> market spaces we want to attack and then move on them. I, for one, see the
> use of the T10 by VISA as a call for a REAL auditing checklist for web
> application security. We all know the top 10 is NOT technical, we all know
> what it should be used for, and we all know people misuse it. So what are we
> going to do about it? Sit here and cry about how no one understands what the
> top ten is supposed to be used for? Or are we going to produce something
> that fills the needs of those people who warp it to their fancy because
> there is nothing else out there?
>
>  I think that if we can have a few more people step up to the plate, we
> could produce a proper auditing check list that would fill the needs of
> several organizations both small and large.
>
>  Think of it like any of the current DRM/encryption schemes around; no
> matter what the product is intended for, if it comes close but does not
> perfectly satisfy a user's needs, they will modify the product to fit their
> needs or they will go elsewhere.
>
>  We should be building on the success and hard work of Andrew on the
> application guide; there is a lot of momentum and work that can be drawn
> from it and put into an auditing checklist.
>
>  Andre Ludwig
>
>   ------------------------------
>
> *From:* Ed Tracy [mailto:edtracy at gmail.com]
> *Sent:* Thursday, October 13, 2005 3:29 PM
> *To:* owasp-topten at lists.sourceforge.net; Jeff Williams; Dave Wichers
> *Subject:* [Owasp-topten] Outsider's View of Top Ten
>
>    Ouch! I wanted to relay these comments from a BAH employee (with
> permission) who is not affiliated with OWASP as all of us are. This came
> from an internal discussion on getting a corporate membership at OWASP. It
> really validates the perspective that has caused me to want the top ten to
> change (or its role to change):
>
> "How much visibility does OWASP really have in the community? I'm always
> surprised at the various SW Assurance working groups and conferences I
> attend to discover how little name recognition they have. And among those
> who DO recognise the name, there seems to be more resentment of the OWASP
> Top 10 than respect for the organisation - mainly because the Top 10 have
> been misused by too many organisations. Not OWASP's fault, but unfortunately
> they get the blame.
>
> In summary - will having our name affiliated with OWASP help or hurt us
> among our customers and potential customers?"
>
> -ed
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20051014/789b86b1/attachment.html

More information about the Owasp-topten mailing list