[OWASP-GUIDE] Fwd: OWASP Top Ten - dev process
andre.ludwig at gmail.com
Wed Jul 13 10:01:28 EDT 2005
forwarded this message to this list because it bounced from the
Is there a thread on this allready elsewhere?
---------- Forwarded message ----------
From: Andre Ludwig <andre.ludwig at gmail.com>
Date: Jul 13, 2005 9:57 AM
Subject: Re: OWASP Top Ten - dev process
To: Devdas Bhagat <devdas at dvb.homelinux.org>, webappsec at securityfocus.com
How about a top 10 of top 10's? </ sarcasm>
The top 10 is fine for what it was meant to do (raise awareness of issues
faced by organizations). Could it be expanded? Yes, it could end up being
the top1000 if we wanted it to be. Should it be? No
As far as doing a top10 practices, top10 development issues, top10 system
issues, top10 top10, etc.. i think it will quickly serve to distract rather
to help guide.. If anything maybe we should look at a top10 RESOURCES for
web security, then simply choose the top 10 resources for common issues
faced by web application teams. This could serve to not only insulate the
top10 from l33t 0-dayz sploits but also give it more "weight" (as the
resources used could be elventeen billion page white papers discussing how
to code a web application in FORTRAN). All humour aside i think that would
be a much more useful aid for the desk sniffing pointy haired bosses of the
world who barely understand what a database is (dont act like you dont know
at least 10 of those). At the same time it could also serve as a library for
those more advanced web developers who maybe never had to focus on secure
practices, secure coding, secure *insert buzz word here*. I think such a
top10 resource list as well as the top10 as it is now would serve each other
rather well. Lets face it webappsecurity is anything but a "top10" issue..
On 7/13/05, Devdas Bhagat <devdas at dvb.homelinux.org> wrote:
> On 13/07/05 11:40 +1000, Michael Silk wrote:
> > But isn't the the _whole point_ of a "Top Ten" is that it quickly and
> > easily lists the 'visible' problems [i.e not the cause]?
> > I mean, you could make it a Top 2 otherwise:
> > 1) Bad Programming
> > 2) Bad Design
> Top Three:
> 3> Bad Programmers.
> > ...
> > It covers everything; easy to interpret and hence fail or pass as you
> > imho an OWASP "Top Ten" shouldn't really cover _my_ development
> > procedures; only the problems exposed by them.
> IMHO, we need a top ten problems and a top ten bad practices list.
> That would help a lot more.
> Devdas Bhagat
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide