[Owasp-leaders] OWASP Top 10 2012

Tony UcedaVelez tonyuv at owasp.org
Fri Oct 7 18:26:49 EDT 2011


  All  good thoughts, but the choice comments made this far IMHO is around
the ecosystem idea around the OWASP Top 10. Building from this idea I would
like to propose the following, Attack & Countermeasure Vignettes  for the
OWASP Top 10. After all - as many have already said and undoubtedly
recognize, people appreciate the Top 10, but they want greater specifics on
understanding the steps to realize these attacks against the myriad of dev
technologies that are out there. They also want to obviously understand how
to mitigate them in their respective dev technologies. These vignettes could
be a part if that ecosystem that Chris alluded to earlier and further other
satellite projects that are exustent and maturing (training, cheat sheets,
etc) as well as those that have just begun (threat modeling). Further, the
myriad of OWASP tools could also be used to apply some if the attack
patterns within the various vignettes.

MITRE is developing a similar effort, but more focused by industry but the
point is is that this would build off if the OWASP Top 10 while addressing
specific countermeasures per dev language.

Open for bashing or backslaps or anything in between as feedback.

Tony UV

Sent from my x Phone
------------------------------
From: Chris Schmidt
Sent: Friday, October 07, 2011 12:08 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Top 10 2012

  Precisely why I think an ecosystem built around the T10 project would be a
more lucrative direction. There are around 600 "notable" programming
languages in existence (
http://en.wikipedia.org/wiki/List_of_programming_languages) and you can
guarantee that it is only a matter of time before someone (as a really bad
prank) decides to release the OWASP Top 10 Common for Brainstab wrapping
ASMx86 backed by C++ as a back-end component to Grails fronted JavaEE web
application utilizing JNI to reference a C++ wrapper of a Perl business
layer.

On 10/7/2011 10:02 AM, Mark Curphey wrote:

Just throw in fuel need to be careful with terms of language and framework.
The .net clr supports 10+ languages (c# the big dog but ruby, pascal and all
sorts)

Sent from my iPhone

On Oct 7, 2011, at 8:54 AM, Wong Onn Chee <ocwong at usa.net> wrote:

  Hi folks,

Just to join in the fun that all of you are having. :-)

My two-cent worth as follow.

Let's continue to have a OWASP Top 10 which is risk-based as it should be
language-agnostic.

However, not all languages are built identically.

As some of you have pointed out, some coding traps are more easily to fall
into in a language while other traps are more prevalent in another language.

As such, why not supplement the risk-centric OWASP Top 10 with
language-centric OWASP Top 10 Common for .Net, OWASP Top 10 Common for Java,
OWASP Top 10 Common for PHP, OWASP Top 10 Common for Flex and so on.

Cheers
Onn Chee
OWASP Singapore Lead

On 10/07/2011 11:35 PM, Mark Curphey wrote:

The sandwich ordering. I want OWASP top ten, on .net, with a c# filling and
a bag of AWS to go :-)

Sent from my iPhone

On Oct 7, 2011, at 8:24 AM, John Melton <jtmelton at gmail.com> wrote:

 I agree with several of the opinions expressed here. I tend to think of
this in a wizard style approach (there's been talk of this style of
organization in other project areas as well, I think Curphey had this in his
keynote from appsecusa). For instance, I personally am a Java guy, so I'd
logically like to have a flow that says Top 10 list -> CSRF (Issue I have)
-> choose technology -> Java -> choose framework(s) -> Struts 2 -> now get
prescriptive guidance. To me that's the simplest and most logical flow for
developers. I have no idea how a flow like that would work within the wiki,
btw. Just speaking for Java, I think there's little value in providing
solutions unless you give framework-specific (not just language-specific)
guidance, since that's where most devs live.

Clearly the top 10 has had tremendous impact on the industry - this seems
like a very logical place to start given the recent focus of strong
developer outreach. The top 10 doc is probably the 1 item OWASP produces
that is in the hands of more developers than anything else (from my
experience), so giving them solid solutions seems a good idea.

As an aside, my top 10 blog set was really meant to show the power of ESAPI.
So while it is Java specific, there are often more framework compliant ways
to accomplish the solutions (like token solutions for CSRF in all the
frameworks).

Thanks,
John

On Fri, Oct 7, 2011 at 11:04 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Exactly! First of all, Troy Hunt is a total rockstar. He is mirroring
> the OWASP Top Ten in a way that is 100% .NET branded for .NET
> developers with .NET solutions.
>
> Even if the actually high level items are the same as the general Top
> Ten, the language branded versions reach developers and speak to
> developers in a pretty deep way.
>
> The devil is in the detail - and unlike the general Top Ten, Troy's
> work provides fairly deep prescriptive language-specific solutions.
>
> There are several bloggers (Melton?) who have pushed out Java centric
> Top Ten literature. The groundwork is out there. I'd love to see a
> group managed by Dave's penchant for detail to produce (at least)
> official OWASP Java,  .NET and PHP Top Ten documents. I think this is
> a better approach than just providing language specific examples in
> the general doc for the sake of deeply influencing developers.
>
> IMO,
> --
> Jim Manico
> (808) 652-3805
>
>  On Oct 7, 2011, at 9:53 AM, Mark Curphey <mark at curphey.com> wrote:
>
> > Troy hunt has already done a series on T10 and .net. He's a .net security
> MVP.  I am sure he'll donate. Shall I ask him?
> >
> > Sent from my iPhone
> >
> > On Oct 7, 2011, at 7:21 AM, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> Yes, you are right on. It's a crucial way to influence developers more
> >> - and influencing developers is the real mission of OWASP from days of
> >> yore. Shall we get started? I'll lend a hand.
> >>
> >> --
> >> Jim Manico
> >> (808) 652-3805
> >>
> >> On Oct 7, 2011, at 9:18 AM, Erwin Geirnaert
> >> <erwin.geirnaert at zionsecurity.com> wrote:
> >>
> >>> Hi list,
> >>>
> >>> During some discussions this week with Java developers while giving a
> security training I got the following remark: "why are there so many
> ASP.NET/PHP issues in the OWASP Top 10, is Java more secure"?
> >>>
> >>> So what I propose is to create a specific OWASP Top 10 for different
> technologies: Microsoft, Java, PHP and we can still have one global Top 10.
> >>> Ofcourse based on the CVE database but it will be more clear for the
> developers and I think that the OWASP Top 10 for Java will be very different
> than OWASP Top 10 for PHP.
> >>>
> >>> Best regards,
> >>>
> >>> Erwin
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



_______________________________________________
OWASP-Leaders mailing
listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders

  _______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



_______________________________________________
OWASP-Leaders mailing
listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/174982f6/attachment-0001.html 


More information about the OWASP-Leaders mailing list