[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Dave Wichers dave.wichers at owasp.org
Wed Apr 14 22:00:22 EDT 2010


Network layer issues, mainly the OS itself, are mentioned, but the primary
focus is on the rest of the application stack from the web server/app server
on up to the custom code. We deemphasized the network stuff a little, by
dropping references to firewalls and such. However, I don't think mentioning
OS patches should be entirely dropped and good network architecture should
be entirely dropped.

-Dave

-----Original Message-----
From: Georg Heß [mailto:georg.hess at artofdefence.com] 
Sent: Wednesday, April 14, 2010 8:36 AM
To: Dave Wichers
Cc: Global_industry_committee at lists.owasp.org
Subject: OWASP Top 10 Release Candidate - Feedback / Remark / Question to
Top 6

Dave

I know that this feedback is very late .. but I am writing it anyway...

When I prepared my "What shall I say about the details of the new OWASP
Top 10.."  I realized that I am not very confident with the current
version of the NEW OWASP Top 6 - Security Misconfiguration.

The main reason is that it includes quite a bit of "network layer"
topics, too.

In general, I absolutely agree that this topic is important.

However, I think we will have some challenges - that we want to avoid -
with other industries including the OWASP Top 10 - like PCI DSS - under
the assumption that they ONLY cover the web application layer.

PCI DSS has - as you know - separate sections on network security and
patch management etc...

Maybe, this is all "old stuff" for you already...

I did not follow in detail the "release candidate feedback period"..

In my opinion, it would be great to "restrict" this topic to the
application layer...


All the best,
Georg



-- 
Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
------------------------------------------------------------------------
Amtsgericht Regensburg HRB 9708
Geschäftsführer:
Dr. Georg Heß, Alexander Meisel
------------------------------------------------------------------------



More information about the Global_industry_committee mailing list