mike.boberski at gmail.com
Wed Dec 30 18:45:05 EST 2009
Since you ask...
This is a frustration to me, as a case study for lack of better way to put
it, seeing which OWASP materials are being referenced and how. Certain
messages aren't getting out in my mind, reading over that wiki page.
The Top 10 is a data sheet, it is not a baseline set of security
requirements, nor is it a standard to implement something to comply with.
The cheat sheets are guidance for overcoming very specific atomic items.
Pointing someone to the development guide w/o saying which sections are
relevant is like telling someone to read an encyclopedia A-Z. What security
activities are being done during their SDLC? Etc.....
First, I think Facebook needs to be straightened out a little bit in this
regard. ASVS exists now, so people need to start using it, where they had
previously been using the Top 10 in an inappropriate way. Second, I propose
exploring whether or not what Facebook really needs/asking for is an ESAPI.
On Wed, Dec 30, 2009 at 5:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Hello Leaders,
> I recently noticed that the OWASP Top Ten was being referenced on
> Facebook's developer platform wiki at
> http://wiki.developers.facebook.com/index.php/Platform_Security - pretty
> This triggered a conversation with Pete Bratach and Ryan McGeehan from
> the Facebook security team about a deeper relationship between Facebook
> and OWASP. They also brought their partners, iSec (folks who know the
> Facebook platform very well) into the conversation.
> Facebook would like OWASP to host and develop a series of wiki pages on
> the topic on helping developers write secure Facebook applications. One
> this is rolling, Facebook would prominently link to those pages from the
> Facebook developer portal. The traffic and awareness potential is
> Facebook also seems to have a progressive security research policy in
> place (modeled after PayPals) at
> What do you think leaders?
> - Jim Manico
> OWASP ESAPI Project Manager
> OWASP Podcast Host/Producer
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders