[Owasp-topten] Outsider's View of Top Ten

Ed Tracy edtracy at gmail.com
Wed Oct 26 10:38:35 EDT 2005 

Ahhh! Where were you last month? Just kidding. I tried doing this last
month, but I was the only one to put content into the "survey." I was trying
to prepare it for the conference with plans to distribute to the chapters as
well.
 Granted, my survey was more about the focus and goals of the top ten, but
some of us were talking about putting specific issues on there. That would
have been a poll identical to the one you're suggesting. I thought it was a
good idea, but some people rejected it so hard that I didn't bother pushing
it. It would be nice to put the Open in Owasp, and reflect the opinions of
the community.
 I'm not going to do it again. All I got was criticism, no one actually
participated to make it better. If you'd like to try it, that's great. I'll
support it.
 -ed

 On 10/26/05, Ofer Shezaf <Ofer.Shezaf at breach.com> wrote:
>
>   Ed,
>
>  I think that a key point in Sebastien's e-mail is that it should be clear
> as to how we got to the OWASP top 10 (in other words, not make it just a
> personal pick). As you asked for suggestions, my suggestion is a poll. We
> will draft a list and then poll the community for the list. In order not to
> make it an open web poll, which people tend to discount, we can poll
> specific audiences such as the OWASP chapters and the OWASP conference
> attendees.
>
>  Thank
>
> ~ Ofer
>
>   Ofer Shezaf
>
> OWASP Israel Chair
>
> http://www.owasp.org/local/israel.html
>
>  CTO, Breach Security
>
> Phone (US): +1 (760) 268.1924 ext. 702
>
> Phone (Israel): +972 (9) 956.0036 ext.212
>
> Cell: +972 (54) 443.1119
> *ofers at breach.com*
> http://www.breach.com
>
>   ------------------------------
>
> *From:* owasp-topten-admin at lists.sourceforge.net [mailto:
> owasp-topten-admin at lists.sourceforge.net] *On Behalf Of *Ed Tracy
> *Sent:* Monday, October 24, 2005 6:04 PM
> *To:* Sebastien Deleersnyder
> *Cc:* owasp-topten at lists.sourceforge.net
> *Subject:* Re: [Owasp-topten] Outsider's View of Top Ten
>
>  I agree with most of your ideas, Sebastien.
>
>  I think we're ready to decide on work areas. I've responded inline...
>
>  On 10/23/05, *Sebastien Deleersnyder* <sebastien.deleersnyder at ascure.com>
> wrote:
>
> Ludwig,
>
>  What you are talking about is the OWASP Testing guide, it should indeed
> provide the basis for an audit (or beter assessment).
>
> Unfortunately VISA took the top 10 and "abused" as basis for testing
> security.
>
>  In my opinion, and this is also a reallity, the OWASP top 10 is an
> awareness product.
>
> It should thus:
>
>   Yes, awareness! And awareness only. It should go so far as to disclaim
> it's purpose and limitations.
>
>
>  1) be "shocking" and appealing for people who have no idea of the inner
> workings of web applications behind their Internet Explorer
>
>   Sure.
>
>
>  2) reflect the most and worst web app sec threats (and exploited
> vulnerabilities) of today on real web applications
>
>   Sure. But, how do you feel about Input Validation being on the list?
>
>
>   For me this means that OWASP should at least yearly review and update
> the OWASP top 10 as a "publicity" product.
>
>
>   It should thus also be pushed to OWASP members and it should be very
> clear how we come to the updated top 10.
>
> The real challenge is doing this without the usual FUD.
>
>   Are you suggesting metrics?
>
>   The Building Guide and the Testing Guide should be follow-up products
> for people who want to react upon the OWASP top 10.
>
>  The main questions stay open since Mark started the discussion in June.
>
>  First define the scope of the OWASP top 10:
>
> a) awareness
>
> b) list of issues to improve
>
> d) list of issues to audit
>
> c) something else?
>
>   The input validation/xss issue should be improved. Perhaps remove input
> validation.
>
> Add phishing.
>
>    Then what target audience are we talking about:
>
> CIO/CSO or tech-heads?
>
> InfoSec or development people?
>
>   CXO's not developers.
>
>    Then decide: does it nead updating?
>
> And if does need updating: what frequency?
>
>   Yes, needs updating. No set frequency.
>
>    The next step would then be:
>
> how do we update it in a transparant way? I get a lot of questions like:
> how did OWASP make up the list?
>
> what steps/ resources are necessary?
>
>  If we (OWASP) need to do something on a frequent base with the Top 10: do
> we need a version 2005?
>
> If yes: quick action is necessary.
>
>   I would suggest releasing a new version in January.
>
>  In addition to updating the doc, owasp needs to release a standard for
> organizations like VISA and the FTC to reference. Then, owasp needs to talk
> to those organziations and attempt to get them to use the "standard" instead
> of the "awareness" document.
>
>  -ed
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20051026/f0bbc97e/attachment.html

More information about the Owasp-topten mailing list