[Owasp-leaders] OWASP Top 10 2012

Venkatesh Jagannathan venki at owasp.org
Tue Oct 11 09:54:51 EDT 2011


I am *ALL* for this. Can we get a project started on this? You can count me
in for contributing to this project :)

Thanks & Regards,
~Venki

On Tue, Oct 11, 2011 at 4:43 PM, Andrew van der Stock <vanderaj at owasp.org>wrote:

> One of the things I'd really like for the Top 10 2012 is to stop focusing
> on the things that went wrong in the previous 12 months, and start to
> concentrate on the Top 10 things to get right for the next five years. The
> existing Top 10 regularly gets incorporated without permission into various
> other standards, and it's 100% the wrong way around for that purpose. The
> Top 10 was never designed to be a standard.
>
> To address this, here's my short list (in order):
>
>    1. Security Architecture (including incorporating agile ideas)
>    2. Use a (more) secure development frameworks and leverage enterprise
>    frameworks (UAG, etc)
>    3. Input validation
>    4. Output Encoding
>    5. Identity: Authentication and Session Management
>    6. Access Control (service / controller, data, URL, function / CSRF,
>    presentation, etc)
>    7. Data Protection (Data at rest, including in cloud)
>    8. Audit, Logging and Error Handling
>    9. Secure Configuration
>    10. Secure Communications (Data in transit)
>
> All of the items must be testable. All items must be positively framed and
> eliminate entire CWE classes in their own right.
>
> Thoughts?
>
> thanks,
> Andrew
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111011/bbe7cea5/attachment.html 


More information about the OWASP-Leaders mailing list