[Owasp-leaders] OWASP Top 10 2012
Chris Schmidt
chris.schmidt at owasp.org
Fri Oct 7 12:07:35 EDT 2011
Precisely why I think an ecosystem built around the T10 project would be
a more lucrative direction. There are around 600 "notable" programming
languages in existence
(http://en.wikipedia.org/wiki/List_of_programming_languages) and you can
guarantee that it is only a matter of time before someone (as a really
bad prank) decides to release the OWASP Top 10 Common for Brainstab
wrapping ASMx86 backed by C++ as a back-end component to Grails fronted
JavaEE web application utilizing JNI to reference a C++ wrapper of a
Perl business layer.
On 10/7/2011 10:02 AM, Mark Curphey wrote:
> Just throw in fuel need to be careful with terms of language and
> framework. The .net clr supports 10+ languages (c# the big dog but
> ruby, pascal and all sorts)
>
> Sent from my iPhone
>
> On Oct 7, 2011, at 8:54 AM, Wong Onn Chee <ocwong at usa.net
> <mailto:ocwong at usa.net>> wrote:
>
>> Hi folks,
>>
>> Just to join in the fun that all of you are having. :-)
>>
>> My two-cent worth as follow.
>>
>> Let's continue to have a OWASP Top 10 which is risk-based as it
>> should be language-agnostic.
>>
>> However, not all languages are built identically.
>>
>> As some of you have pointed out, some coding traps are more easily to
>> fall into in a language while other traps are more prevalent in
>> another language.
>>
>> As such, why not supplement the risk-centric OWASP Top 10 with
>> language-centric OWASP Top 10 Common for .Net, OWASP Top 10 Common
>> for Java, OWASP Top 10 Common for PHP, OWASP Top 10 Common for Flex
>> and so on.
>>
>> Cheers
>> Onn Chee
>> OWASP Singapore Lead
>>
>> On 10/07/2011 11:35 PM, Mark Curphey wrote:
>>> The sandwich ordering. I want OWASP top ten, on .net, with a c#
>>> filling and a bag of AWS to go :-)
>>>
>>> Sent from my iPhone
>>>
>>> On Oct 7, 2011, at 8:24 AM, John Melton <jtmelton at gmail.com
>>> <mailto:jtmelton at gmail.com>> wrote:
>>>
>>>> I agree with several of the opinions expressed here. I tend to
>>>> think of this in a wizard style approach (there's been talk of this
>>>> style of organization in other project areas as well, I think
>>>> Curphey had this in his keynote from appsecusa). For instance, I
>>>> personally am a Java guy, so I'd logically like to have a flow that
>>>> says Top 10 list -> CSRF (Issue I have) -> choose technology ->
>>>> Java -> choose framework(s) -> Struts 2 -> now get prescriptive
>>>> guidance. To me that's the simplest and most logical flow for
>>>> developers. I have no idea how a flow like that would work within
>>>> the wiki, btw. Just speaking for Java, I think there's little value
>>>> in providing solutions unless you give framework-specific (not just
>>>> language-specific) guidance, since that's where most devs live.
>>>>
>>>> Clearly the top 10 has had tremendous impact on the industry - this
>>>> seems like a very logical place to start given the recent focus of
>>>> strong developer outreach. The top 10 doc is probably the 1 item
>>>> OWASP produces that is in the hands of more developers than
>>>> anything else (from my experience), so giving them solid solutions
>>>> seems a good idea.
>>>>
>>>> As an aside, my top 10 blog set was really meant to show the power
>>>> of ESAPI. So while it is Java specific, there are often more
>>>> framework compliant ways to accomplish the solutions (like token
>>>> solutions for CSRF in all the frameworks).
>>>>
>>>> Thanks,
>>>> John
>>>>
>>>> On Fri, Oct 7, 2011 at 11:04 AM, Jim Manico <jim.manico at owasp.org
>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>> Exactly! First of all, Troy Hunt is a total rockstar. He is
>>>> mirroring
>>>> the OWASP Top Ten in a way that is 100% .NET branded for .NET
>>>> developers with .NET solutions.
>>>>
>>>> Even if the actually high level items are the same as the
>>>> general Top
>>>> Ten, the language branded versions reach developers and speak to
>>>> developers in a pretty deep way.
>>>>
>>>> The devil is in the detail - and unlike the general Top Ten, Troy's
>>>> work provides fairly deep prescriptive language-specific solutions.
>>>>
>>>> There are several bloggers (Melton?) who have pushed out Java
>>>> centric
>>>> Top Ten literature. The groundwork is out there. I'd love to see a
>>>> group managed by Dave's penchant for detail to produce (at least)
>>>> official OWASP Java, .NET and PHP Top Ten documents. I think
>>>> this is
>>>> a better approach than just providing language specific examples in
>>>> the general doc for the sake of deeply influencing developers.
>>>>
>>>> IMO,
>>>> --
>>>> Jim Manico
>>>> (808) 652-3805
>>>>
>>>> On Oct 7, 2011, at 9:53 AM, Mark Curphey <mark at curphey.com
>>>> <mailto:mark at curphey.com>> wrote:
>>>>
>>>> > Troy hunt has already done a series on T10 and .net. He's a
>>>> .net security MVP. I am sure he'll donate. Shall I ask him?
>>>> >
>>>> > Sent from my iPhone
>>>> >
>>>> > On Oct 7, 2011, at 7:21 AM, Jim Manico <jim.manico at owasp.org
>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>> >
>>>> >> Yes, you are right on. It's a crucial way to influence
>>>> developers more
>>>> >> - and influencing developers is the real mission of OWASP
>>>> from days of
>>>> >> yore. Shall we get started? I'll lend a hand.
>>>> >>
>>>> >> --
>>>> >> Jim Manico
>>>> >> (808) 652-3805
>>>> >>
>>>> >> On Oct 7, 2011, at 9:18 AM, Erwin Geirnaert
>>>> >> <erwin.geirnaert at zionsecurity.com
>>>> <mailto:erwin.geirnaert at zionsecurity.com>> wrote:
>>>> >>
>>>> >>> Hi list,
>>>> >>>
>>>> >>> During some discussions this week with Java developers
>>>> while giving a security training I got the following remark:
>>>> "why are there so many ASP.NET/PHP <http://ASP.NET/PHP> issues
>>>> in the OWASP Top 10, is Java more secure"?
>>>> >>>
>>>> >>> So what I propose is to create a specific OWASP Top 10 for
>>>> different technologies: Microsoft, Java, PHP and we can still
>>>> have one global Top 10.
>>>> >>> Ofcourse based on the CVE database but it will be more
>>>> clear for the developers and I think that the OWASP Top 10 for
>>>> Java will be very different than OWASP Top 10 for PHP.
>>>> >>>
>>>> >>> Best regards,
>>>> >>>
>>>> >>> Erwin
>>>> >>> _______________________________________________
>>>> >>> OWASP-Leaders mailing list
>>>> >>> OWASP-Leaders at lists.owasp.org
>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/7dd06c5d/attachment-0001.html
More information about the OWASP-Leaders
mailing list