[OWASP-Delhi] Blog - OWASP X isn't enough!

Vishal A. vishal.asthana at owasp.org
Fri Sep 5 07:40:06 UTC 2014

Hi Rishi,

Good post. For any development team, OWASP Top 10 Vulnerability protection
is an achievable/tangible baseline to have, compliance-driven or not. I
definitely agree that it shouldn't be the ONLY list to certify your app.
against. And yes, a pen tester ought to look beyond it, provided the scope
of engagement permits so.

On another note, OWASP Top 10 Proactive Control list is an interesting
prevention-based approach (

Organizations could potentially use both OWASP Top 10 Vulnerabilities and
OWASP Top 10 Proactive Controls to set a solid baseline first. Then go for
a pen test from creative tester(s) and add the additional findings to the
baseline. As time progresses, repeating the process would strengthen the
testing posture.

Ideally, securing all phases of the SDLC would be the perfect
approach/solution, but, we live in a world full of release deadlines, time
constraints, resource constraints, NFR perceptions etc. :-)


On Wed, Aug 20, 2014 at 12:31 AM, Rishi Narang <iam at pwnstar.in> wrote:

> Friends,
> I've written a blog on the assessment limitations that we restrict
> ourselves to OWASP X and don't usually go beyond it.
> Let me know your comments or feel free to contact me.
> Blog Links -
> LinkedIn - https
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> ://
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> www.linkedin.com
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> /today/post/article/20140818151659-7472152-
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> owasp
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> -x-life-beyond-it
> <https://www.linkedin.com/today/post/article/20140818151659-7472152-owasp-x-life-beyond-it>
> Personal Blog - https
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>://
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>www.wtfuzz.com
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>/blogs/
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>owasp
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>-
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>cheatsheet
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>-not-bible/
> <https://www.wtfuzz.com/blogs/owasp-cheatsheet-not-bible/>​
> Cheers and have a good time!
> - Rishi
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20140905/f750bb9d/attachment.html>

More information about the OWASP-Delhi mailing list