[Owasp-leaders] CWE/SANS Top 25 Most Dangerous ProgrammingErrors

Marcin Wielgoszewski marcin at owasp.org
Wed Jan 14 14:08:27 EST 2009


Yah, I did notice a couple people who are OWASP members contributed (notably
Jeff, Ivan, etc).

I think combined with Gary McGraw's column posted yesterday ( ) and Arian
Evan's most recent email to the web-security mailing list (
http://www.webappsec.org/lists/websecurity/archive/2009-01/msg00041.html)
sum up my thoughts about the SANS/CWE list.  It's one of the issues I've had
with these lists, asking people not to limit themselves to just the Top 10
-- there are over 700+ CWE, 100+ CAPEC, 24 WASC TC etc to also take into
account.

I just think SANS tried to "one-up" OWASP with a new Top X list.

Instead, perhaps Top 10 2009 should be Andrew's Top 10 Things To Do Right.


On Wed, Jan 14, 2009 at 7:58 AM, Marco M. Morana
<marco.m.morana at gmail.com>wrote:

>  Marcin
>
> If you look at the contributors of this important document
> http://www.sans.org/top25errors/, we have both people that implicitly are
> OWASP members (e.g Jeff Williams, James Walden and Ivan Ristic the ones I
> recognize) as well as explicitly as organization: The working group at the
> first OWASP ESAPI Summit.
>
> I am not sure that the fact that OWASP T10 is not mentioned lessen the
> credit or miss an opportunity to shine as organization critical to produce
> this document for software security
>
> Regards
>
> Marco
>
> OWASP Chapter Lead <http://www.owasp.org/index.php/Cincinnati>
>
> Writing Secure Software Blogger <http://securesoftware.blogspot.com/>
>
>
>
> ----- Original Message -----
> *From:* Marcin Wielgoszewski <marcin at owasp.org>
> *To:* Jeff Williams <jeff.williams at aspectsecurity.com>
> *Cc:* owasp-leaders at lists.owasp.org
> *Sent:* Tuesday, January 13, 2009 10:01 AM
> *Subject:* Re: [Owasp-leaders] CWE/SANS Top 25 Most Dangerous
> ProgrammingErrors
>
> Jeff, the thing that really bites me about it all... is nowhere, in any of
> the news postings I've read since the release, has OWASP been mentioned or
> given credit for its own Top 10.
>
> Does anyone else feel the same way?  Or am I again being overly-possessive
> and my preference for open-source, open-body organizations like OWASP
> shining through?
>
>
> On Tue, Jan 13, 2009 at 7:24 AM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>
>>  I helped them out with this but didn't intend for them to assume an
>> organizational endorsement.  Even though it's basically the top ten + buffer
>> overflows, it helps our mission.
>>
>> --Jeff
>>
>>
>>
>> On Jan 13, 2009, at 12:34 AM, "Marcin Wielgoszewski" <marcin at owasp.org>
>> wrote:
>>
>>  Today SANS in conjunction with MITRE have released the CWE/SANS Top 25
>> Most Dangerous Programming Errors [1].
>>
>> It appears OWASP Foundation has made an official statement supporting this
>> initiative:
>>  OWASP Foundation: "When facing a huge application portfolio that could
>> contain many thousands of instances of over 700 different types of
>> weaknesses, knowing where to start is a daunting task. Done right, stamping
>> out the CWE Top 25 can not only make you significantly more secure but can
>> cut your software development costs."
>> - Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
>> [1] <http://www.sans.org/top25errors/>http://www.sans.org/top25errors/
>>
>>
>> Thoughts?  How does this affect the OWASP Top 10 Project?  I'll reserve
>> comment for the time being.
>>
>>  _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>  ------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090114/29d67b73/attachment.html 


More information about the OWASP-Leaders mailing list