[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Christian Heinrich christian.heinrich at owasp.org
Thu Apr 15 18:32:30 EDT 2010


Georg,

This T10 entry was included in the 2004 Release.

I believe it should be referenced (I believe this is mentioned in ASVS
also but I have checked and hence could be wrong) but the point of
contention is if it is actually a business risk?

I believe the answer to this question is yes considering the damage
caused by "continued access".

The PCI SSC misquotes the T10 as the "OWASP Guide" in both their PCI
DSS and PA-DSS publications.  Also their instruction related to the
Cardholder Data Environment is flawed considered in the context of
Heartland.

On Wed, Apr 14, 2010 at 10:36 PM, Georg Heß <georg.hess at artofdefence.com> wrote:
> Dave
>
> I know that this feedback is very late .. but I am writing it anyway...
>
> When I prepared my "What shall I say about the details of the new OWASP
> Top 10.."  I realized that I am not very confident with the current
> version of the NEW OWASP Top 6 - Security Misconfiguration.
>
> The main reason is that it includes quite a bit of "network layer"
> topics, too.
>
> In general, I absolutely agree that this topic is important.
>
> However, I think we will have some challenges - that we want to avoid -
> with other industries including the OWASP Top 10 - like PCI DSS - under
> the assumption that they ONLY cover the web application layer.
>
> PCI DSS has - as you know - separate sections on network security and
> patch management etc...
>
> Maybe, this is all "old stuff" for you already...
>
> I did not follow in detail the "release candidate feedback period"..
>
> In my opinion, it would be great to "restrict" this topic to the
> application layer...

-- 
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


More information about the Global_industry_committee mailing list