[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Georg Heß georg.hess at artofdefence.com
Fri Apr 16 04:10:43 EDT 2010


in principle and theory I agree with all you are saying.

However, in real life I think we have to accept - at least I do - that
having PCI DSS referencing directly to OWASP is one of the biggest
successes of OWASP - in terms of visibility and credibility... and still
the best "showcase" of an interaction of OWASP with industry bodies.

So, also from a "in principle" aspect, this relationship is far from
being perfect we are working hard to get something like this "copied" to
other industry groups ... like Cloud Security Alliance ... or even legal

And that´s exactly my main reason why I believe we should focus our
message to the "external" work on  "application layer ONLY"....

Just my 2 cents...


Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
Amtsgericht Regensburg HRB 9708
Dr. Georg Heß, Alexander Meisel

Christian Heinrich wrote:
> Georg,
> This T10 entry was included in the 2004 Release.
> I believe it should be referenced (I believe this is mentioned in ASVS
> also but I have checked and hence could be wrong) but the point of
> contention is if it is actually a business risk?
> I believe the answer to this question is yes considering the damage
> caused by "continued access".
> The PCI SSC misquotes the T10 as the "OWASP Guide" in both their PCI
> DSS and PA-DSS publications.  Also their instruction related to the
> Cardholder Data Environment is flawed considered in the context of
> Heartland.
> On Wed, Apr 14, 2010 at 10:36 PM, Georg Heß <georg.hess at artofdefence.com> wrote:
>> Dave
>> I know that this feedback is very late .. but I am writing it anyway...
>> When I prepared my "What shall I say about the details of the new OWASP
>> Top 10.."  I realized that I am not very confident with the current
>> version of the NEW OWASP Top 6 - Security Misconfiguration.
>> The main reason is that it includes quite a bit of "network layer"
>> topics, too.
>> In general, I absolutely agree that this topic is important.
>> However, I think we will have some challenges - that we want to avoid -
>> with other industries including the OWASP Top 10 - like PCI DSS - under
>> the assumption that they ONLY cover the web application layer.
>> PCI DSS has - as you know - separate sections on network security and
>> patch management etc...
>> Maybe, this is all "old stuff" for you already...
>> I did not follow in detail the "release candidate feedback period"..
>> In my opinion, it would be great to "restrict" this topic to the
>> application layer...

More information about the Global_industry_committee mailing list