[Owasp-leaders] OWASP Top 10 2012
Venkatesh Jagannathan
venki at owasp.org
Tue Oct 11 09:54:51 EDT 2011
I am *ALL* for this. Can we get a project started on this? You can count me
in for contributing to this project :)
Thanks & Regards,
~Venki
On Tue, Oct 11, 2011 at 4:43 PM, Andrew van der Stock <vanderaj at owasp.org>wrote:
> One of the things I'd really like for the Top 10 2012 is to stop focusing
> on the things that went wrong in the previous 12 months, and start to
> concentrate on the Top 10 things to get right for the next five years. The
> existing Top 10 regularly gets incorporated without permission into various
> other standards, and it's 100% the wrong way around for that purpose. The
> Top 10 was never designed to be a standard.
>
> To address this, here's my short list (in order):
>
> 1. Security Architecture (including incorporating agile ideas)
> 2. Use a (more) secure development frameworks and leverage enterprise
> frameworks (UAG, etc)
> 3. Input validation
> 4. Output Encoding
> 5. Identity: Authentication and Session Management
> 6. Access Control (service / controller, data, URL, function / CSRF,
> presentation, etc)
> 7. Data Protection (Data at rest, including in cloud)
> 8. Audit, Logging and Error Handling
> 9. Secure Configuration
> 10. Secure Communications (Data in transit)
>
> All of the items must be testable. All items must be positively framed and
> eliminate entire CWE classes in their own right.
>
> Thoughts?
>
> thanks,
> Andrew
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111011/bbe7cea5/attachment.html
More information about the OWASP-Leaders
mailing list