[Owasp-topten] RFI taken out

Dave Ockwell-Jenner doj at primeinfosec.com
Thu Nov 19 13:34:44 EST 2009


I'll make the suggestion :-)

On Thu, 2009-11-19 at 13:32 -0500, Boberski, Michael [USA] wrote:
> PCI and whatnot should realize that what they really need to do is to
> reference ASVS, now that ASVS exists.
>  
> Mike B.
>  
> 
> 
> 
> 
> ______________________________________________________________________
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave
> Ockwell-Jenner
> Sent: Thursday, November 19, 2009 1:27 PM
> To: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] RFI taken out
> 
> 
> 
> 
> On Wed, 2009-11-18 at 10:00 -0700, Andre Gironda wrote:
> 
> [snip] 
> 
> > OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
> > other marketing tools don't show is that the problems aren't meant to
> > be solved one-at-a-time. One vulnerability isn't as "prevalent" or
> > "severe" as any other, especially because multiple vulnerabilities are
> > almost always present in any given large web application.
> > 
> 
> It might be most a marketing tool, but don't forget that it's
> referenced in the PCI requirements (effectively co-opting the OWASP
> Top 10 into that set of requirements). Those requirements drive huge
> decisions (and impact) for businesses.
> 
> I recognize that the OWASP Top 10 should be shaped with this as a
> constraint, but it's certainly a consideration.
> 
> Cheers,
> Dave. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/88429887/attachment.html 


More information about the Owasp-topten mailing list