[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Yiannis Pavlosoglou yiannis at owasp.org
Thu Apr 15 05:16:51 EDT 2010


Excellent!

I feel this is a discussion we will be having with Georg and Alexander, over
InfoSec here in London in a couple of weeks time..

It would be good to have you guys in town!

On 15 April 2010 09:13, Georg Heß <georg.hess at artofdefence.com> wrote:

> Dave
>
> thank you very much for your fast response.
>
> Great to hear that you deemphasized the network stuff a little ...
> and I agree that one can have slightly different ideas on what the OWASP
>  Top10 should cover... and OS patches and everything else are important.
>
> I just thought - and still think - that it might make it a little bit
> more difficult to easily include the OWASP Top10 into other compliance
> frameworks if we even "touch" the network layer...
>
> Great work !
>
> Georg
>
>
>
> --
> Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
> T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837
>
> art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
> ------------------------------------------------------------------------
> Amtsgericht Regensburg HRB 9708
> Geschäftsführer:
> Dr. Georg Heß, Alexander Meisel
> ------------------------------------------------------------------------
>
> Dave Wichers wrote:
> > Network layer issues, mainly the OS itself, are mentioned, but the
> primary
> > focus is on the rest of the application stack from the web server/app
> server
> > on up to the custom code. We deemphasized the network stuff a little, by
> > dropping references to firewalls and such. However, I don't think
> mentioning
> > OS patches should be entirely dropped and good network architecture
> should
> > be entirely dropped.
> >
> > -Dave
> >
> > -----Original Message-----
> > From: Georg Heß [mailto:georg.hess at artofdefence.com]
> > Sent: Wednesday, April 14, 2010 8:36 AM
> > To: Dave Wichers
> > Cc: Global_industry_committee at lists.owasp.org
> > Subject: OWASP Top 10 Release Candidate - Feedback / Remark / Question to
> > Top 6
> >
> > Dave
> >
> > I know that this feedback is very late .. but I am writing it anyway...
> >
> > When I prepared my "What shall I say about the details of the new OWASP
> > Top 10.."  I realized that I am not very confident with the current
> > version of the NEW OWASP Top 6 - Security Misconfiguration.
> >
> > The main reason is that it includes quite a bit of "network layer"
> > topics, too.
> >
> > In general, I absolutely agree that this topic is important.
> >
> > However, I think we will have some challenges - that we want to avoid -
> > with other industries including the OWASP Top 10 - like PCI DSS - under
> > the assumption that they ONLY cover the web application layer.
> >
> > PCI DSS has - as you know - separate sections on network security and
> > patch management etc...
> >
> > Maybe, this is all "old stuff" for you already...
> >
> > I did not follow in detail the "release candidate feedback period"..
> >
> > In my opinion, it would be great to "restrict" this topic to the
> > application layer...
> >
> >
> > All the best,
> > Georg
> >
> >
> >
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100415/744429ec/attachment.html 


More information about the Global_industry_committee mailing list