[Owasp-leaders] OWASP Top 10 2012

Chris Schmidt chris.schmidt at owasp.org
Fri Oct 7 12:07:35 EDT 2011


Precisely why I think an ecosystem built around the T10 project would be
a more lucrative direction. There are around 600 "notable" programming
languages in existence
(http://en.wikipedia.org/wiki/List_of_programming_languages) and you can
guarantee that it is only a matter of time before someone (as a really
bad prank) decides to release the OWASP Top 10 Common for Brainstab
wrapping ASMx86 backed by C++ as a back-end component to Grails fronted
JavaEE web application utilizing JNI to reference a C++ wrapper of a
Perl business layer.

On 10/7/2011 10:02 AM, Mark Curphey wrote:
> Just throw in fuel need to be careful with terms of language and
> framework. The .net clr supports 10+ languages (c# the big dog but
> ruby, pascal and all sorts)
>
> Sent from my iPhone
>
> On Oct 7, 2011, at 8:54 AM, Wong Onn Chee <ocwong at usa.net
> <mailto:ocwong at usa.net>> wrote:
>
>> Hi folks,
>>
>> Just to join in the fun that all of you are having. :-)
>>
>> My two-cent worth as follow.
>>
>> Let's continue to have a OWASP Top 10 which is risk-based as it
>> should be language-agnostic.
>>
>> However, not all languages are built identically.
>>
>> As some of you have pointed out, some coding traps are more easily to
>> fall into in a language while other traps are more prevalent in
>> another language.
>>
>> As such, why not supplement the risk-centric OWASP Top 10 with
>> language-centric OWASP Top 10 Common for .Net, OWASP Top 10 Common
>> for Java, OWASP Top 10 Common for PHP, OWASP Top 10 Common for Flex
>> and so on.
>>
>> Cheers
>> Onn Chee
>> OWASP Singapore Lead
>>
>> On 10/07/2011 11:35 PM, Mark Curphey wrote:
>>> The sandwich ordering. I want OWASP top ten, on .net, with a c#
>>> filling and a bag of AWS to go :-)
>>>
>>> Sent from my iPhone
>>>
>>> On Oct 7, 2011, at 8:24 AM, John Melton <jtmelton at gmail.com
>>> <mailto:jtmelton at gmail.com>> wrote:
>>>
>>>> I agree with several of the opinions expressed here. I tend to
>>>> think of this in a wizard style approach (there's been talk of this
>>>> style of organization in other project areas as well, I think
>>>> Curphey had this in his keynote from appsecusa). For instance, I
>>>> personally am a Java guy, so I'd logically like to have a flow that
>>>> says Top 10 list -> CSRF (Issue I have) -> choose technology ->
>>>> Java -> choose framework(s) -> Struts 2 -> now get prescriptive
>>>> guidance. To me that's the simplest and most logical flow for
>>>> developers. I have no idea how a flow like that would work within
>>>> the wiki, btw. Just speaking for Java, I think there's little value
>>>> in providing solutions unless you give framework-specific (not just
>>>> language-specific) guidance, since that's where most devs live.
>>>>
>>>> Clearly the top 10 has had tremendous impact on the industry - this
>>>> seems like a very logical place to start given the recent focus of
>>>> strong developer outreach. The top 10 doc is probably the 1 item
>>>> OWASP produces that is in the hands of more developers than
>>>> anything else (from my experience), so giving them solid solutions
>>>> seems a good idea.
>>>>
>>>> As an aside, my top 10 blog set was really meant to show the power
>>>> of ESAPI. So while it is Java specific, there are often more
>>>> framework compliant ways to accomplish the solutions (like token
>>>> solutions for CSRF in all the frameworks).
>>>>
>>>> Thanks,
>>>> John
>>>>
>>>> On Fri, Oct 7, 2011 at 11:04 AM, Jim Manico <jim.manico at owasp.org
>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>     Exactly! First of all, Troy Hunt is a total rockstar. He is
>>>>     mirroring
>>>>     the OWASP Top Ten in a way that is 100% .NET branded for .NET
>>>>     developers with .NET solutions.
>>>>
>>>>     Even if the actually high level items are the same as the
>>>>     general Top
>>>>     Ten, the language branded versions reach developers and speak to
>>>>     developers in a pretty deep way.
>>>>
>>>>     The devil is in the detail - and unlike the general Top Ten, Troy's
>>>>     work provides fairly deep prescriptive language-specific solutions.
>>>>
>>>>     There are several bloggers (Melton?) who have pushed out Java
>>>>     centric
>>>>     Top Ten literature. The groundwork is out there. I'd love to see a
>>>>     group managed by Dave's penchant for detail to produce (at least)
>>>>     official OWASP Java,  .NET and PHP Top Ten documents. I think
>>>>     this is
>>>>     a better approach than just providing language specific examples in
>>>>     the general doc for the sake of deeply influencing developers.
>>>>
>>>>     IMO,
>>>>     --
>>>>     Jim Manico
>>>>     (808) 652-3805
>>>>
>>>>     On Oct 7, 2011, at 9:53 AM, Mark Curphey <mark at curphey.com
>>>>     <mailto:mark at curphey.com>> wrote:
>>>>
>>>>     > Troy hunt has already done a series on T10 and .net. He's a
>>>>     .net security MVP.  I am sure he'll donate. Shall I ask him?
>>>>     >
>>>>     > Sent from my iPhone
>>>>     >
>>>>     > On Oct 7, 2011, at 7:21 AM, Jim Manico <jim.manico at owasp.org
>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>     >
>>>>     >> Yes, you are right on. It's a crucial way to influence
>>>>     developers more
>>>>     >> - and influencing developers is the real mission of OWASP
>>>>     from days of
>>>>     >> yore. Shall we get started? I'll lend a hand.
>>>>     >>
>>>>     >> --
>>>>     >> Jim Manico
>>>>     >> (808) 652-3805
>>>>     >>
>>>>     >> On Oct 7, 2011, at 9:18 AM, Erwin Geirnaert
>>>>     >> <erwin.geirnaert at zionsecurity.com
>>>>     <mailto:erwin.geirnaert at zionsecurity.com>> wrote:
>>>>     >>
>>>>     >>> Hi list,
>>>>     >>>
>>>>     >>> During some discussions this week with Java developers
>>>>     while giving a security training I got the following remark:
>>>>     "why are there so many ASP.NET/PHP <http://ASP.NET/PHP> issues
>>>>     in the OWASP Top 10, is Java more secure"?
>>>>     >>>
>>>>     >>> So what I propose is to create a specific OWASP Top 10 for
>>>>     different technologies: Microsoft, Java, PHP and we can still
>>>>     have one global Top 10.
>>>>     >>> Ofcourse based on the CVE database but it will be more
>>>>     clear for the developers and I think that the OWASP Top 10 for
>>>>     Java will be very different than OWASP Top 10 for PHP.
>>>>     >>>
>>>>     >>> Best regards,
>>>>     >>>
>>>>     >>> Erwin
>>>>     >>> _______________________________________________
>>>>     >>> OWASP-Leaders mailing list
>>>>     >>> OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>     >> _______________________________________________
>>>>     >> OWASP-Leaders mailing list
>>>>     >> OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>     _______________________________________________
>>>>     OWASP-Leaders mailing list
>>>>     OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/7dd06c5d/attachment-0001.html 


More information about the OWASP-Leaders mailing list