[OWASP-GUIDE] Fwd: OWASP Top Ten - dev process

Andre Ludwig andre.ludwig at gmail.com
Wed Jul 13 10:01:28 EDT 2005

forwarded this message to this list because it bounced from the 
securityfocus list. 

Is there a thread on this allready elsewhere?

---------- Forwarded message ----------
From: Andre Ludwig <andre.ludwig at gmail.com>
Date: Jul 13, 2005 9:57 AM
Subject: Re: OWASP Top Ten - dev process
To: Devdas Bhagat <devdas at dvb.homelinux.org>, webappsec at securityfocus.com

How about a top 10 of top 10's? </ sarcasm>

The top 10 is fine for what it was meant to do (raise awareness of issues 
faced by organizations). Could it be expanded? Yes, it could end up being 
the top1000 if we wanted it to be. Should it be? No

As far as doing a top10 practices, top10 development issues, top10 system 
issues, top10 top10, etc.. i think it will quickly serve to distract rather 
to help guide.. If anything maybe we should look at a top10 RESOURCES for 
web security, then simply choose the top 10 resources for common issues 
faced by web application teams. This could serve to not only insulate the 
top10 from l33t 0-dayz sploits but also give it more "weight" (as the 
resources used could be elventeen billion page white papers discussing how 
to code a web application in FORTRAN). All humour aside i think that would 
be a much more useful aid for the desk sniffing pointy haired bosses of the 
world who barely understand what a database is (dont act like you dont know 
at least 10 of those). At the same time it could also serve as a library for 
those more advanced web developers who maybe never had to focus on secure 
practices, secure coding, secure *insert buzz word here*. I think such a 
top10 resource list as well as the top10 as it is now would serve each other 
rather well. Lets face it webappsecurity is anything but a "top10" issue..


On 7/13/05, Devdas Bhagat <devdas at dvb.homelinux.org> wrote:
> On 13/07/05 11:40 +1000, Michael Silk wrote:
> >
> > But isn't the the _whole point_ of a "Top Ten" is that it quickly and
> > easily lists the 'visible' problems [i.e not the cause]?
> >
> > I mean, you could make it a Top 2 otherwise: 
> > 1) Bad Programming
> > 2) Bad Design
> >
> Top Three:
> 3> Bad Programmers.
> > ...
> >
> > It covers everything; easy to interpret and hence fail or pass as you 
> like.
> >
> > imho an OWASP "Top Ten" shouldn't really cover _my_ development 
> > procedures; only the problems exposed by them.
> >
> IMHO, we need a top ten problems and a top ten bad practices list.
> That would help a lot more.
> Devdas Bhagat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-guide/attachments/20050713/1252fafe/attachment.html 

More information about the Owasp-guide mailing list