[Owasp-topten] Outsider's View of Top Ten

Ofer Shezaf Ofer.Shezaf at breach.com
Wed Oct 26 12:21:56 EDT 2005 

 

Sorry. 

 

I held it in my inbox for a long time, and than decided that the issue
of the goals of the top 10 was too complex for surveying. I should have
said it loud instead of just deleting the e-mail eventually. I still
feel by the way that a poll of the top 10 from our list we prepare (such
as this prepared by Andrew) would help in making it more "real". At the
least it would help with ordering.

 

~ Ofer

 

Ofer Shezaf

OWASP Israel Chair

http://www.owasp.org/local/israel.html

 

CTO, Breach Security

Phone (US): +1 (760) 268.1924 ext. 702

Phone (Israel): +972 (9) 956.0036 ext.212

Cell: +972 (54) 443.1119
ofers at breach.com
http://www.breach.com <http://www.breach.com/> 

 

________________________________

From: Ed Tracy [mailto:edtracy at gmail.com] 
Sent: Wednesday, October 26, 2005 4:39 PM
To: Ofer Shezaf
Cc: Sebastien Deleersnyder; owasp-topten at lists.sourceforge.net
Subject: Re: [Owasp-topten] Outsider's View of Top Ten

 

Ahhh! Where were you last month? Just kidding. I tried doing this last
month, but I was the only one to put content into the "survey." I was
trying to prepare it for the conference with plans to distribute to the
chapters as well. 

 

Granted, my survey was more about the focus and goals of the top ten,
but some of us were talking about putting specific issues on there. That
would have been a poll identical to the one you're suggesting. I thought
it was a good idea, but some people rejected it so hard that I didn't
bother pushing it. It would be nice to put the Open in Owasp, and
reflect the opinions of the community. 

 

I'm not going to do it again. All I got was criticism, no one actually
participated to make it better. If you'd like to try it, that's great.
I'll support it.

 

-ed


 

On 10/26/05, Ofer Shezaf <Ofer.Shezaf at breach.com> wrote: 

 

Ed,

 

I think that a key point in Sebastien's e-mail is that it should be
clear as to how we got to the OWASP top 10 (in other words, not make it
just a personal pick). As you asked for suggestions, my suggestion is a
poll. We will draft a list and then poll the community for the list. In
order not to make it an open web poll, which people tend to discount, we
can poll specific audiences such as the OWASP chapters and the OWASP
conference attendees. 

 

Thank

~ Ofer

 

Ofer Shezaf

OWASP Israel Chair

http://www.owasp.org/local/israel.html

 

CTO, Breach Security

Phone (US): +1 (760) 268.1924 ext. 702

Phone (Israel): +972 (9) 956.0036 ext.212 

Cell: +972 (54) 443.1119
ofers at breach.com 
http://www.breach.com <http://www.breach.com/> 

 

________________________________

From: owasp-topten-admin at lists.sourceforge.net
[mailto:owasp-topten-admin at lists.sourceforge.net ] On Behalf Of Ed Tracy
Sent: Monday, October 24, 2005 6:04 PM
To: Sebastien Deleersnyder 
Cc: owasp-topten at lists.sourceforge.net
Subject: Re: [Owasp-topten] Outsider's View of Top Ten

 

I agree with most of your ideas, Sebastien. 

 

I think we're ready to decide on work areas. I've responded inline...

 

On 10/23/05, Sebastien Deleersnyder < sebastien.deleersnyder at ascure.com
<mailto:sebastien.deleersnyder at ascure.com> > wrote:

	Ludwig,

	 

	What you are talking about is the OWASP Testing guide, it should
indeed provide the basis for an audit (or beter assessment). 

	Unfortunately VISA took the top 10 and "abused" as basis for
testing security.

	 

	In my opinion, and this is also a reallity, the OWASP top 10 is
an awareness product.

	It should thus:

 

Yes, awareness! And awareness only. It should go so far as to disclaim
it's purpose and limitations.


 

	1) be "shocking" and appealing for people who have no idea of
the inner workings of web applications behind their Internet Explorer 

 

Sure.


 

	2) reflect the most and worst web app sec threats (and exploited
vulnerabilities) of today on real web applications 

 

Sure. But, how do you feel about Input Validation being on the list?


 

	For me this means that OWASP should at least yearly review and
update the OWASP top 10 as a "publicity" product. 

 


 

	It should thus also be pushed to OWASP members and it should be
very clear how we come to the updated top 10. 

	The real challenge is doing this without the usual FUD.

 

Are you suggesting metrics? 

 

	The Building Guide and the Testing Guide should be follow-up
products for people who want to react upon the OWASP top 10. 

	 

	The main questions stay open since Mark started the discussion
in June.

	 

	First define the scope of the OWASP top 10:

	a) awareness

	b) list of issues to improve

	d) list of issues to audit

	c) something else?

 

The input validation/xss issue should be improved. Perhaps remove input
validation. 

Add phishing.

	 

	 

	Then what target audience are we talking about:

	CIO/CSO or tech-heads?

	InfoSec or development people?

 

CXO's not developers.

 

	 

	Then decide: does it nead updating?

	And if does need updating: what frequency?

 

Yes, needs updating. No set frequency.

	 

	 

	The next step would then be:

	how do we update it in a transparant way? I get a lot of
questions like: how did OWASP make up the list? 

	what steps/ resources are necessary?

	 

	If we (OWASP) need to do something on a frequent base with the
Top 10: do we need a version 2005? 

	If yes: quick action is necessary.

 

I would suggest releasing a new version in January.

 

In addition to updating the doc, owasp needs to release a standard for
organizations like VISA and the FTC to reference. Then, owasp needs to
talk to those organziations and attempt to get them to use the
"standard" instead of the "awareness" document. 

 

-ed


 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20051026/d2c5bd75/attachment.html

More information about the Owasp-topten mailing list