[Owasp-leaders] OWASP Top 10 2012

Chris Schmidt chris.schmidt at owasp.org
Fri Oct 7 11:41:40 EDT 2011


I think this illustrates a point pretty accurately - this has the
potential to blow up into something completely unmaintainable and
not-user-friendly in a heartbeat. Perhaps the answer is that instead of
new documents, a new EcoSystem/Community should be built around the Top
10 project that enables the community to interact with questions like

How do I resolve T10.1 in my PHP application that uses the PHP-Java
Bridge to invoke business functions in my Spring driven Java business layer?

This would be a good place for something like a Stack Overflow type Q&A
framework to *compliment* the top 10.. Make sense?

And yes, I realize this contradicts my previous post a little, the
important thing is that the T10 is an industry impactful project and I
believe there is both room for growth and the community desire for *moar
factz* as it were. That was the main intent of my previous reply, this
is just another suggestion on how to get there.

My $0.02

On 10/7/2011 9:35 AM, Mark Curphey wrote:
> The sandwich ordering. I want OWASP top ten, on .net, with a c#
> filling and a bag of AWS to go :-)
>
> Sent from my iPhone
>
> On Oct 7, 2011, at 8:24 AM, John Melton <jtmelton at gmail.com
> <mailto:jtmelton at gmail.com>> wrote:
>
>> I agree with several of the opinions expressed here. I tend to think
>> of this in a wizard style approach (there's been talk of this style
>> of organization in other project areas as well, I think Curphey had
>> this in his keynote from appsecusa). For instance, I personally am a
>> Java guy, so I'd logically like to have a flow that says Top 10 list
>> -> CSRF (Issue I have) -> choose technology -> Java -> choose
>> framework(s) -> Struts 2 -> now get prescriptive guidance. To me
>> that's the simplest and most logical flow for developers. I have no
>> idea how a flow like that would work within the wiki, btw. Just
>> speaking for Java, I think there's little value in providing
>> solutions unless you give framework-specific (not just
>> language-specific) guidance, since that's where most devs live.
>>
>> Clearly the top 10 has had tremendous impact on the industry - this
>> seems like a very logical place to start given the recent focus of
>> strong developer outreach. The top 10 doc is probably the 1 item
>> OWASP produces that is in the hands of more developers than anything
>> else (from my experience), so giving them solid solutions seems a
>> good idea.
>>
>> As an aside, my top 10 blog set was really meant to show the power of
>> ESAPI. So while it is Java specific, there are often more framework
>> compliant ways to accomplish the solutions (like token solutions for
>> CSRF in all the frameworks).
>>
>> Thanks,
>> John
>>
>> On Fri, Oct 7, 2011 at 11:04 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     Exactly! First of all, Troy Hunt is a total rockstar. He is mirroring
>>     the OWASP Top Ten in a way that is 100% .NET branded for .NET
>>     developers with .NET solutions.
>>
>>     Even if the actually high level items are the same as the general Top
>>     Ten, the language branded versions reach developers and speak to
>>     developers in a pretty deep way.
>>
>>     The devil is in the detail - and unlike the general Top Ten, Troy's
>>     work provides fairly deep prescriptive language-specific solutions.
>>
>>     There are several bloggers (Melton?) who have pushed out Java centric
>>     Top Ten literature. The groundwork is out there. I'd love to see a
>>     group managed by Dave's penchant for detail to produce (at least)
>>     official OWASP Java,  .NET and PHP Top Ten documents. I think this is
>>     a better approach than just providing language specific examples in
>>     the general doc for the sake of deeply influencing developers.
>>
>>     IMO,
>>     --
>>     Jim Manico
>>     (808) 652-3805
>>
>>     On Oct 7, 2011, at 9:53 AM, Mark Curphey <mark at curphey.com
>>     <mailto:mark at curphey.com>> wrote:
>>
>>     > Troy hunt has already done a series on T10 and .net. He's a
>>     .net security MVP.  I am sure he'll donate. Shall I ask him?
>>     >
>>     > Sent from my iPhone
>>     >
>>     > On Oct 7, 2011, at 7:21 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>     >
>>     >> Yes, you are right on. It's a crucial way to influence
>>     developers more
>>     >> - and influencing developers is the real mission of OWASP from
>>     days of
>>     >> yore. Shall we get started? I'll lend a hand.
>>     >>
>>     >> --
>>     >> Jim Manico
>>     >> (808) 652-3805
>>     >>
>>     >> On Oct 7, 2011, at 9:18 AM, Erwin Geirnaert
>>     >> <erwin.geirnaert at zionsecurity.com
>>     <mailto:erwin.geirnaert at zionsecurity.com>> wrote:
>>     >>
>>     >>> Hi list,
>>     >>>
>>     >>> During some discussions this week with Java developers while
>>     giving a security training I got the following remark: "why are
>>     there so many ASP.NET/PHP <http://ASP.NET/PHP> issues in the
>>     OWASP Top 10, is Java more secure"?
>>     >>>
>>     >>> So what I propose is to create a specific OWASP Top 10 for
>>     different technologies: Microsoft, Java, PHP and we can still
>>     have one global Top 10.
>>     >>> Ofcourse based on the CVE database but it will be more clear
>>     for the developers and I think that the OWASP Top 10 for Java
>>     will be very different than OWASP Top 10 for PHP.
>>     >>>
>>     >>> Best regards,
>>     >>>
>>     >>> Erwin
>>     >>> _______________________________________________
>>     >>> OWASP-Leaders mailing list
>>     >>> OWASP-Leaders at lists.owasp.org
>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>     >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>     >> _______________________________________________
>>     >> OWASP-Leaders mailing list
>>     >> OWASP-Leaders at lists.owasp.org
>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>     >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/445d3e2f/attachment-0001.html 


More information about the OWASP-Leaders mailing list