[Owasp-leaders] OWASP Top 10 2012

Chris Schmidt chris.schmidt at owasp.org
Fri Oct 7 18:49:44 EDT 2011


As a side-note and some food for thought, the following is taken
directly from the ESAPI Roadmap
(http://esapi.org/2011/10/esapi-roadmap/) that I published last night
*
*---] SNIP [---

*How-To Video Series*- Similar to the Cheat Sheet Series, with more of a
tutorial aspect to it. _The How-to series will focus on the OWASP
Top-Ten_ and will include a full    walkthrough of mitigating real-world
issues (ie. the kind that a developer would see on a PCI Scan Report)
using ESAPI. Transcripts will be available for these videos as well.

---] SNIP [---

I have underlined the extremely relevant part of the deliverable.
Perhaps some cross-pollination between T10 and ESAPI can be done to make
this happen.

On 10/7/2011 4:26 PM, Tony UcedaVelez wrote:
> All  good thoughts, but the choice comments made this far IMHO is
> around the ecosystem idea around the OWASP Top 10. Building from this
> idea I would like to propose the following, Attack & Countermeasure
> Vignettes  for the OWASP Top 10. After all - as many have already said
> and undoubtedly recognize, people appreciate the Top 10, but they want
> greater specifics on understanding the steps to realize these attacks
> against the myriad of dev technologies that are out there. They also
> want to obviously understand how to mitigate them in their respective
> dev technologies. These vignettes could be a part if that ecosystem
> that Chris alluded to earlier and further other satellite projects
> that are exustent and maturing (training, cheat sheets, etc) as well
> as those that have just begun (threat modeling). Further, the myriad
> of OWASP tools could also be used to apply some if the attack patterns
> within the various vignettes.
>
> MITRE is developing a similar effort, but more focused by industry but
> the point is is that this would build off if the OWASP Top 10 while
> addressing specific countermeasures per dev language.
>
> Open for bashing or backslaps or anything in between as feedback.
>
> Tony UV
>
> Sent from my x Phone
> ------------------------------------------------------------------------
> From: Chris Schmidt
> Sent: Friday, October 07, 2011 12:08 PM
> To: owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] OWASP Top 10 2012
>
> Precisely why I think an ecosystem built around the T10 project would
> be a more lucrative direction. There are around 600 "notable"
> programming languages in existence
> (http://en.wikipedia.org/wiki/List_of_programming_languages) and you
> can guarantee that it is only a matter of time before someone (as a
> really bad prank) decides to release the OWASP Top 10 Common for
> Brainstab wrapping ASMx86 backed by C++ as a back-end component to
> Grails fronted JavaEE web application utilizing JNI to reference a C++
> wrapper of a Perl business layer.
>
> On 10/7/2011 10:02 AM, Mark Curphey wrote:
>> Just throw in fuel need to be careful with terms of language and
>> framework. The .net clr supports 10+ languages (c# the big dog but
>> ruby, pascal and all sorts)
>>
>> Sent from my iPhone
>>
>> On Oct 7, 2011, at 8:54 AM, Wong Onn Chee <ocwong at usa.net
>> <mailto:ocwong at usa.net>> wrote:
>>
>>> Hi folks,
>>>
>>> Just to join in the fun that all of you are having. :-)
>>>
>>> My two-cent worth as follow.
>>>
>>> Let's continue to have a OWASP Top 10 which is risk-based as it
>>> should be language-agnostic.
>>>
>>> However, not all languages are built identically.
>>>
>>> As some of you have pointed out, some coding traps are more easily
>>> to fall into in a language while other traps are more prevalent in
>>> another language.
>>>
>>> As such, why not supplement the risk-centric OWASP Top 10 with
>>> language-centric OWASP Top 10 Common for .Net, OWASP Top 10 Common
>>> for Java, OWASP Top 10 Common for PHP, OWASP Top 10 Common for Flex
>>> and so on.
>>>
>>> Cheers
>>> Onn Chee
>>> OWASP Singapore Lead
>>>
>>> On 10/07/2011 11:35 PM, Mark Curphey wrote:
>>>> The sandwich ordering. I want OWASP top ten, on .net, with a c#
>>>> filling and a bag of AWS to go :-)
>>>>
>>>> Sent from my iPhone
>>>>
>>>> On Oct 7, 2011, at 8:24 AM, John Melton <jtmelton at gmail.com
>>>> <mailto:jtmelton at gmail.com>> wrote:
>>>>
>>>>> I agree with several of the opinions expressed here. I tend to
>>>>> think of this in a wizard style approach (there's been talk of
>>>>> this style of organization in other project areas as well, I think
>>>>> Curphey had this in his keynote from appsecusa). For instance, I
>>>>> personally am a Java guy, so I'd logically like to have a flow
>>>>> that says Top 10 list -> CSRF (Issue I have) -> choose technology
>>>>> -> Java -> choose framework(s) -> Struts 2 -> now get prescriptive
>>>>> guidance. To me that's the simplest and most logical flow for
>>>>> developers. I have no idea how a flow like that would work within
>>>>> the wiki, btw. Just speaking for Java, I think there's little
>>>>> value in providing solutions unless you give framework-specific
>>>>> (not just language-specific) guidance, since that's where most
>>>>> devs live.
>>>>>
>>>>> Clearly the top 10 has had tremendous impact on the industry -
>>>>> this seems like a very logical place to start given the recent
>>>>> focus of strong developer outreach. The top 10 doc is probably the
>>>>> 1 item OWASP produces that is in the hands of more developers than
>>>>> anything else (from my experience), so giving them solid solutions
>>>>> seems a good idea.
>>>>>
>>>>> As an aside, my top 10 blog set was really meant to show the power
>>>>> of ESAPI. So while it is Java specific, there are often more
>>>>> framework compliant ways to accomplish the solutions (like token
>>>>> solutions for CSRF in all the frameworks).
>>>>>
>>>>> Thanks,
>>>>> John
>>>>>
>>>>> On Fri, Oct 7, 2011 at 11:04 AM, Jim Manico <jim.manico at owasp.org
>>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>     Exactly! First of all, Troy Hunt is a total rockstar. He is
>>>>>     mirroring
>>>>>     the OWASP Top Ten in a way that is 100% .NET branded for .NET
>>>>>     developers with .NET solutions.
>>>>>
>>>>>     Even if the actually high level items are the same as the
>>>>>     general Top
>>>>>     Ten, the language branded versions reach developers and speak to
>>>>>     developers in a pretty deep way.
>>>>>
>>>>>     The devil is in the detail - and unlike the general Top Ten,
>>>>>     Troy's
>>>>>     work provides fairly deep prescriptive language-specific
>>>>>     solutions.
>>>>>
>>>>>     There are several bloggers (Melton?) who have pushed out Java
>>>>>     centric
>>>>>     Top Ten literature. The groundwork is out there. I'd love to see a
>>>>>     group managed by Dave's penchant for detail to produce (at least)
>>>>>     official OWASP Java,  .NET and PHP Top Ten documents. I think
>>>>>     this is
>>>>>     a better approach than just providing language specific
>>>>>     examples in
>>>>>     the general doc for the sake of deeply influencing developers.
>>>>>
>>>>>     IMO,
>>>>>     --
>>>>>     Jim Manico
>>>>>     (808) 652-3805
>>>>>
>>>>>     On Oct 7, 2011, at 9:53 AM, Mark Curphey <mark at curphey.com
>>>>>     <mailto:mark at curphey.com>> wrote:
>>>>>
>>>>>     > Troy hunt has already done a series on T10 and .net. He's a
>>>>>     .net security MVP.  I am sure he'll donate. Shall I ask him?
>>>>>     >
>>>>>     > Sent from my iPhone
>>>>>     >
>>>>>     > On Oct 7, 2011, at 7:21 AM, Jim Manico <jim.manico at owasp.org
>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>     >
>>>>>     >> Yes, you are right on. It's a crucial way to influence
>>>>>     developers more
>>>>>     >> - and influencing developers is the real mission of OWASP
>>>>>     from days of
>>>>>     >> yore. Shall we get started? I'll lend a hand.
>>>>>     >>
>>>>>     >> --
>>>>>     >> Jim Manico
>>>>>     >> (808) 652-3805
>>>>>     >>
>>>>>     >> On Oct 7, 2011, at 9:18 AM, Erwin Geirnaert
>>>>>     >> <erwin.geirnaert at zionsecurity.com
>>>>>     <mailto:erwin.geirnaert at zionsecurity.com>> wrote:
>>>>>     >>
>>>>>     >>> Hi list,
>>>>>     >>>
>>>>>     >>> During some discussions this week with Java developers
>>>>>     while giving a security training I got the following remark:
>>>>>     "why are there so many ASP.NET/PHP <http://ASP.NET/PHP> issues
>>>>>     in the OWASP Top 10, is Java more secure"?
>>>>>     >>>
>>>>>     >>> So what I propose is to create a specific OWASP Top 10 for
>>>>>     different technologies: Microsoft, Java, PHP and we can still
>>>>>     have one global Top 10.
>>>>>     >>> Ofcourse based on the CVE database but it will be more
>>>>>     clear for the developers and I think that the OWASP Top 10 for
>>>>>     Java will be very different than OWASP Top 10 for PHP.
>>>>>     >>>
>>>>>     >>> Best regards,
>>>>>     >>>
>>>>>     >>> Erwin
>>>>>     >>> _______________________________________________
>>>>>     >>> OWASP-Leaders mailing list
>>>>>     >>> OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>     >> _______________________________________________
>>>>>     >> OWASP-Leaders mailing list
>>>>>     >> OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111007/22566708/attachment-0001.html 


More information about the OWASP-Leaders mailing list