[Global_industry_committee] OWASP Top 10 Release Candidate - Feedback / Remark / Question to Top 6

Dave Wichers dave.wichers at owasp.org
Fri Apr 16 10:05:08 EDT 2010


I appreciate your feedback, as always. The PCI council has had an early
release and of course the RC and we haven't heard any concerns back from
them and we have been coordinating with them, so we have given them the
opportunity to express any concerns.

-Dave

-----Original Message-----
From: Georg Heß [mailto:georg.hess at artofdefence.com] 
Sent: Friday, April 16, 2010 4:11 AM
To: Christian Heinrich
Cc: Global_industry_committee; dave.wichers at owasp.org
Subject: Re: [Global_industry_committee] OWASP Top 10 Release Candidate -
Feedback / Remark / Question to Top 6

Christian,

in principle and theory I agree with all you are saying.

However, in real life I think we have to accept - at least I do - that
having PCI DSS referencing directly to OWASP is one of the biggest
successes of OWASP - in terms of visibility and credibility... and still
the best "showcase" of an interaction of OWASP with industry bodies.

So, also from a "in principle" aspect, this relationship is far from
being perfect we are working hard to get something like this "copied" to
other industry groups ... like Cloud Security Alliance ... or even legal
bodies...

And that´s exactly my main reason why I believe we should focus our
message to the "external" work on  "application layer ONLY"....

Just my 2 cents...

Georg


-- 
Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
------------------------------------------------------------------------
Amtsgericht Regensburg HRB 9708
Geschäftsführer:
Dr. Georg Heß, Alexander Meisel
------------------------------------------------------------------------

Christian Heinrich wrote:
> Georg,
> 
> This T10 entry was included in the 2004 Release.
> 
> I believe it should be referenced (I believe this is mentioned in ASVS
> also but I have checked and hence could be wrong) but the point of
> contention is if it is actually a business risk?
> 
> I believe the answer to this question is yes considering the damage
> caused by "continued access".
> 
> The PCI SSC misquotes the T10 as the "OWASP Guide" in both their PCI
> DSS and PA-DSS publications.  Also their instruction related to the
> Cardholder Data Environment is flawed considered in the context of
> Heartland.
> 
> On Wed, Apr 14, 2010 at 10:36 PM, Georg Heß <georg.hess at artofdefence.com>
wrote:
>> Dave
>>
>> I know that this feedback is very late .. but I am writing it anyway...
>>
>> When I prepared my "What shall I say about the details of the new OWASP
>> Top 10.."  I realized that I am not very confident with the current
>> version of the NEW OWASP Top 6 - Security Misconfiguration.
>>
>> The main reason is that it includes quite a bit of "network layer"
>> topics, too.
>>
>> In general, I absolutely agree that this topic is important.
>>
>> However, I think we will have some challenges - that we want to avoid -
>> with other industries including the OWASP Top 10 - like PCI DSS - under
>> the assumption that they ONLY cover the web application layer.
>>
>> PCI DSS has - as you know - separate sections on network security and
>> patch management etc...
>>
>> Maybe, this is all "old stuff" for you already...
>>
>> I did not follow in detail the "release candidate feedback period"..
>>
>> In my opinion, it would be great to "restrict" this topic to the
>> application layer...
> 



More information about the Global_industry_committee mailing list