[Owasp-leaders] OWASP Top 10 2012

psiinon psiinon at gmail.com
Tue Oct 11 07:23:36 EDT 2011


I _really_ like the idea of a Top 10 AppSec TODO list.
This should be separate project to the existing Top 10, but one we should
push just as hard.
We can have a bun fight, sorry, discussion, about what should be on it and
the relative priorities, but I think we should make it happen.
I think this is just aimed at the development community, ie architects,
devs, QA.
And like Andrew proposed is the things people should be concentrating on but
currently arent.
Count me in.

Simon

On Tue, Oct 11, 2011 at 12:13 PM, Andrew van der Stock
<vanderaj at owasp.org>wrote:

> One of the things I'd really like for the Top 10 2012 is to stop focusing
> on the things that went wrong in the previous 12 months, and start to
> concentrate on the Top 10 things to get right for the next five years. The
> existing Top 10 regularly gets incorporated without permission into various
> other standards, and it's 100% the wrong way around for that purpose. The
> Top 10 was never designed to be a standard.
>
> To address this, here's my short list (in order):
>
>    1. Security Architecture (including incorporating agile ideas)
>    2. Use a (more) secure development frameworks and leverage enterprise
>    frameworks (UAG, etc)
>    3. Input validation
>    4. Output Encoding
>    5. Identity: Authentication and Session Management
>    6. Access Control (service / controller, data, URL, function / CSRF,
>    presentation, etc)
>    7. Data Protection (Data at rest, including in cloud)
>    8. Audit, Logging and Error Handling
>    9. Secure Configuration
>    10. Secure Communications (Data in transit)
>
> All of the items must be testable. All items must be positively framed and
> eliminate entire CWE classes in their own right.
>
> Thoughts?
>
> thanks,
> Andrew
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111011/daeef454/attachment.html 


More information about the OWASP-Leaders mailing list