[Owasp-leaders] OWASP Top 10 2012
mark at curphey.com
Tue Oct 11 09:43:16 EDT 2011
AJV for Australian Prime Minister.....
Seriously, great idea and would be very powerful as you say in making an impact on entire classes of issues and not specific vulnerabilities.
I think collapsing things like 3+4 and 7+10 on your list would allow people to focus on a topic at a time and get a big bang for buck.
Can you spin up a project and list to discuss as this is gold dust ?
Sent from my iPhone
On Oct 11, 2011, at 4:13 AM, Andrew van der Stock <vanderaj at owasp.org> wrote:
> One of the things I'd really like for the Top 10 2012 is to stop focusing on the things that went wrong in the previous 12 months, and start to concentrate on the Top 10 things to get right for the next five years. The existing Top 10 regularly gets incorporated without permission into various other standards, and it's 100% the wrong way around for that purpose. The Top 10 was never designed to be a standard.
> To address this, here's my short list (in order):
> Security Architecture (including incorporating agile ideas)
> Use a (more) secure development frameworks and leverage enterprise frameworks (UAG, etc)
> Input validation
> Output Encoding
> Identity: Authentication and Session Management
> Access Control (service / controller, data, URL, function / CSRF, presentation, etc)
> Data Protection (Data at rest, including in cloud)
> Audit, Logging and Error Handling
> Secure Configuration
> Secure Communications (Data in transit)
> All of the items must be testable. All items must be positively framed and eliminate entire CWE classes in their own right.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders