[Owasp-leaders] CWE/SANS Top 25 Most Dangerous ProgrammingErrors

AF antonio.fontes at gmail.com
Mon Jan 19 12:10:43 EST 2009

> - If one has chosen software security as a profession, it's a sure bet for
> years to come :-)
 ; )

> For example, for my clients the OWASP Top
> 10 2004 list is more relevant than the 2007 list.
Could you please share some info on this? I find this very interesting.
(in private if you think it is  not relevant to the topic)


It seems to me that some of us feel we didn't give enough emphasis on
the OWASP in the top25. The preliminary top25 drafts discussions
clearly stated that the top25 was code implementation oriented (the
'actionable' word was used) as the owasp top10 was more 'web
vulnerability category' centric and more 'high-level'. (I won't argue
on how both affirmations contrast to each other.)

Questions I would ask then:
- Do the authors of the top10 agree with this perception of the top10
? If not, why?
- Globally, is there something we can identify already, that we should
consider next time a similar document goes live?
- On a more marketing oriented way, has someone from the OWASP clearly
taken position on how the top10 differentiates from the top25? (when
to use it, how to use it and who should use it)


More information about the OWASP-Leaders mailing list