[Owasp-leaders] OWASP Top 10 2012

Dave Wichers dave.wichers at owasp.org
Fri Oct 7 13:10:44 EDT 2011

To clarify, Juan agrees with me, or vice versa. Don't care which.


From: Juan Carlos Calderon Rojas [mailto:juan.calderon at softtek.com] 
Sent: Friday, October 07, 2011 11:15 AM
To: Dave Wichers; 'Venkatesh Jagannathan'; 'Erwin Geirnaert'
Cc: owasp-leaders at lists.owasp.org
Subject: RE: [Owasp-leaders] OWASP Top 10 2012


I personally avoid the "X is more secure than Y", you can build (in)secure
systems in ANY of these technologies, it is not really a language specific
issue. What makes a difference for me is "how easy to secure is an
application build in X".


I my opinion as .NET and Java developer, and I also with experience of code
reviews in various PHP applications. PHP is harder to secure than Java, and
Java than .NET. That is, it takes more time to create a secure application
on PHP than in Java, and more time in Java than in .NET. Thus, It is easier
to make security mistakes in PHP (due to its extreme flexibility), than in
Java, than in .NET.


Yet, ALL are prone to the around 30 vulnerabilites of OWASP Top 10 Risks
(remember OWASP Top 10 is all about risks, right? :) ). All issues,
including local file inclusion are present in 3 of them, it is just that
(again) it is easier to get (in)secure in one more than in the other. 


Not pretty sure If I understood correctly, but a .NET specific Top 10
doesn't sound right for me. I mean having maybe different risks and
different rankings, add one of these for each technology available and then
would be a mayhem. Case appart is Mobile top 10 that is a different
platform, not language.


My vote is for language specific examples for each vulnerability for each
OWASP Top 10 risk. I could be named something like "OWASP Top 10 for .NET"
and include .NET speific examples but issues and raking will be the same.


There are will be some framework specific problems like MQL injection
(Hibernate is only available for Java and .NET as far as I know) but the
risk is still "A1 Injection".



Juan C Calderon



De: owasp-leaders-bounces at lists.owasp.org
[owasp-leaders-bounces at lists.owasp.org] En nombre de Dave Wichers
[dave.wichers at owasp.org]
Enviado el: viernes, 07 de octubre de 2011 09:39 a.m.
Para: 'Venkatesh Jagannathan'; 'Erwin Geirnaert'
CC: owasp-leaders at lists.owasp.org
Asunto: Re: [Owasp-leaders] OWASP Top 10 2012

I agree with Venkatesh here. I actually think .NET is MORE secure than Java
in many respects. However, I think because Microsoft actually tried to build
some security into .NET in certain areas, like automatic XSS defenses, they
shot themselves in the foot to some degree because they provided .Net
developers with a false sense of security in that area. Since their anti-XSS
mechanism wasn't actually bullet proof, it actually ended up causing .NET
apps to have MORE XSS vulns than Java apps on average. However, the .NET
developers got this 'benefit' for free, i.e., they didn't have to do
anything to get to their level of XSS vulns, but the Java developers had to
work really hard to actually get their XSS vuln count down because Java had
no built in anti-XSS defenses. If you built the same App in both Java and
.NET and the developers didn't specifically try to stop XSS vulns, the .NET
app would actually have far less XSS than the Java one.


I'm not a PHP expert so I can't comment there.


Rather than having a 'different' Top 10 for each language, I think it WOULD
be really cool to have a document like, How to address the OWASP Top 10 in
Java/.NET/PHP, etc. Then the docs would be aligned with each other, rather
than out of sync/different order/etc., which would be very confusing.
However, if I was a developer for language X, and there was a Top 10 for
that language, that would be very helpful for me, and not confusing since it
covers the same stuff as the 'standard' Top 10.


What do you think about this variant on your idea?




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Venkatesh
Sent: Friday, October 07, 2011 10:29 AM
To: Erwin Geirnaert
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Top 10 2012


Hi Erwin,

    I slightly disagree here. Whatever issue is present in .NET, the same
can be replated very much in Java. When I give trainning on writing secure
code, based on top 10, i provide samples on both .net & java way.

To me, creating a seperate material for java/.net would at some point in
time end up in too many "issuelets" that are language specific and dilute
the concept of OWASP top 10.


I think the way we should address this is: Provide examples in all languages
would make more sense than creating one for each language :)


Thanks & Regards,


On Fri, Oct 7, 2011 at 7:47 PM, Erwin Geirnaert
<erwin.geirnaert at zionsecurity.com> wrote:

Hi list,


During some discussions this week with Java developers while giving a
security training I got the following remark: "why are there so many
ASP.NET/PHP issues in the OWASP Top 10, is Java more secure"?


So what I propose is to create a specific OWASP Top 10 for different
technologies: Microsoft, Java, PHP and we can still have one global Top 10.

Ofcourse based on the CVE database but it will be more clear for the
developers and I think that the OWASP Top 10 for Java will be very different
than OWASP Top 10 for PHP.


Best regards,



OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/dfdcecfa/attachment-0001.html 

More information about the OWASP-Leaders mailing list