[Owasp-leaders] OWASP Top 10 2012

Allen Worrell awworrell at gmail.com
Fri Oct 7 10:55:28 EDT 2011


I would agree that aligning the documents to each other is the best idea. I
would find it very confusing to have multiple documents for each language in
different orders and so on. Given that the cheat sheets have been such a
success, it may be worth using that idea to for each of the language
specific top 10 sheets. A sort of OWASP Top 10 for Java developers Cheat
sheet.

As a java developer myself, I can tell you that the OWASP Top 10 is very
helpful in having a general idea for what vulnerabilities to watch out for.
The issue I have had with Java is just how to approach doing it. I think
over each of the languages the solutions will be very similar but breaking
it down to a specific language would be helpful.

If there is anything I can help with please let me know. I will more than
happy to try to help with the project as needed.

Allen

On Fri, Oct 7, 2011 at 9:44 AM, Erwin Geirnaert <
erwin.geirnaert at zionsecurity.com> wrote:

>  Hi Dave,
>
> That's what I did with the OWASP Top 10 for JEE 2007 where I only described
> the issue for JEE and the necessary countermeasures.
> But the Top 10 used was the general one, and not specific for Java so for
> example you have the concept of malicious file execution where you include
> PHP file from a malicious origin in a parameter and that doesn't apply to
> Java or .NET
>
> Discussing with a Java hardcore developer that Spring Security is not
> really a solution for the OWASP Top 10 is a difficult job :)
>
> Best regards,
>
> Erwin
>
> Van: Dave Wichers <dave.wichers at owasp.org>
> Datum: Fri, 7 Oct 2011 07:39:07 -0700
> Aan: 'Venkatesh Jagannathan' <venki at owasp.org>, Erwin Geirnaert <
> erwin.geirnaert at zionsecurity.com>
> CC: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
> Onderwerp: RE: [Owasp-leaders] OWASP Top 10 2012
>
>   I agree with Venkatesh here. I actually think .NET is MORE secure than
> Java in many respects. However, I think because Microsoft actually tried to
> build some security into .NET in certain areas, like automatic XSS defenses,
> they shot themselves in the foot to some degree because they provided .Net
> developers with a false sense of security in that area. Since their anti-XSS
> mechanism wasn’t actually bullet proof, it actually ended up causing .NET
> apps to have MORE XSS vulns than Java apps on average. However, the .NET
> developers got this ‘benefit’ for free, i.e., they didn’t have to do
> anything to get to their level of XSS vulns, but the Java developers had to
> work really hard to actually get their XSS vuln count down because Java had
> no built in anti-XSS defenses. If you built the same App in both Java and
> .NET and the developers didn’t specifically try to stop XSS vulns, the .NET
> app would actually have far less XSS than the Java one.****
>
> ** **
>
> I’m not a PHP expert so I can’t comment there.****
>
> ** **
>
> Rather than having a ‘different’ Top 10 for each language, I think it WOULD
> be really cool to have a document like, How to address the OWASP Top 10 in
> Java/.NET/PHP, etc. Then the docs would be aligned with each other, rather
> than out of sync/different order/etc., which would be very confusing.
> However, if I was a developer for language X, and there was a Top 10 for
> that language, that would be very helpful for me, and not confusing since it
> covers the same stuff as the ‘standard’ Top 10.****
>
> ** **
>
> What do you think about this variant on your idea?****
>
> ** **
>
> -Dave****
>
> ** **
>
> *From:* owasp-leaders-bounces at lists.owasp.org [
> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
> *On Behalf Of *Venkatesh Jagannathan
> *Sent:* Friday, October 07, 2011 10:29 AM
> *To:* Erwin Geirnaert
> *Cc:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] OWASP Top 10 2012****
>
> ** **
>
> Hi Erwin,****
>
>     I slightly disagree here. Whatever issue is present in .NET, the same
> can be replated very much in Java. When I give trainning on writing secure
> code, based on top 10, i provide samples on both .net & java way.****
>
> To me, creating a seperate material for java/.net would at some point in
> time end up in too many "issuelets" that are language specific and dilute
> the concept of OWASP top 10.****
>
>  ****
>
> I think the way we should address this is: Provide examples in all
> languages would make more sense than creating one for each language :)****
>
>  ****
>
> Thanks & Regards,****
>
> ~Venki****
>
> On Fri, Oct 7, 2011 at 7:47 PM, Erwin Geirnaert <
> erwin.geirnaert at zionsecurity.com> wrote:****
>
> Hi list,****
>
> ** **
>
> During some discussions this week with Java developers while giving a
> security training I got the following remark: "why are there so many
> ASP.NET/PHP <http://asp.net/PHP> issues in the OWASP Top 10, is Java more
> secure"?****
>
> ** **
>
> So what I propose is to create a specific OWASP Top 10 for different
> technologies: Microsoft, Java, PHP and we can still have one global Top 10.
> ****
>
> Ofcourse based on the CVE database but it will be more clear for the
> developers and I think that the OWASP Top 10 for Java will be very different
> than OWASP Top 10 for PHP.****
>
> ** **
>
> Best regards,****
>
> ** **
>
> Erwin****
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
> ** **
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/05ad3194/attachment.html 


More information about the OWASP-Leaders mailing list