[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Georg Heß georg.hess at artofdefence.com
Thu Apr 15 05:13:22 EDT 2010


thank you very much for your fast response.

Great to hear that you deemphasized the network stuff a little ...
and I agree that one can have slightly different ideas on what the OWASP
 Top10 should cover... and OS patches and everything else are important.

I just thought - and still think - that it might make it a little bit
more difficult to easily include the OWASP Top10 into other compliance
frameworks if we even "touch" the network layer...

Great work !


Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
Amtsgericht Regensburg HRB 9708
Dr. Georg Heß, Alexander Meisel

Dave Wichers wrote:
> Network layer issues, mainly the OS itself, are mentioned, but the primary
> focus is on the rest of the application stack from the web server/app server
> on up to the custom code. We deemphasized the network stuff a little, by
> dropping references to firewalls and such. However, I don't think mentioning
> OS patches should be entirely dropped and good network architecture should
> be entirely dropped.
> -Dave
> -----Original Message-----
> From: Georg Heß [mailto:georg.hess at artofdefence.com] 
> Sent: Wednesday, April 14, 2010 8:36 AM
> To: Dave Wichers
> Cc: Global_industry_committee at lists.owasp.org
> Subject: OWASP Top 10 Release Candidate - Feedback / Remark / Question to
> Top 6
> Dave
> I know that this feedback is very late .. but I am writing it anyway...
> When I prepared my "What shall I say about the details of the new OWASP
> Top 10.."  I realized that I am not very confident with the current
> version of the NEW OWASP Top 6 - Security Misconfiguration.
> The main reason is that it includes quite a bit of "network layer"
> topics, too.
> In general, I absolutely agree that this topic is important.
> However, I think we will have some challenges - that we want to avoid -
> with other industries including the OWASP Top 10 - like PCI DSS - under
> the assumption that they ONLY cover the web application layer.
> PCI DSS has - as you know - separate sections on network security and
> patch management etc...
> Maybe, this is all "old stuff" for you already...
> I did not follow in detail the "release candidate feedback period"..
> In my opinion, it would be great to "restrict" this topic to the
> application layer...
> All the best,
> Georg

More information about the Global_industry_committee mailing list