[Owasp-leaders] OWASP Top 10 2012
psiinon at gmail.com
Tue Oct 11 11:56:20 EDT 2011
I think its a good thing this discussion was on the leaders list :)
I think we've essentially identified at least one and possibly more high
profile projects that are desperately needed.
I dont know if that would have happened if this was on the top10 list, I
certainly wouldnt have got involved (and I'm not claiming I really
contributed anything apart from strong support;).
However there details of these projects can definitely be discussed on the
(relevant possibly new) lists.
On Tue, Oct 11, 2011 at 4:39 PM, AF <antonio.fontes at gmail.com> wrote:
> Why is this discussion happening on the leaders list and not on the
> don't save the environment -> print more!
> twitter: @starbuck3000
> blog: http://cddb.ch
> Mark Curphey <mark at curphey.com> wrote:
> >AJV for Australian Prime Minister.....
> >Seriously, great idea and would be very powerful as you say in making an
> impact on entire classes of issues and not specific vulnerabilities.
> >I think collapsing things like 3+4 and 7+10 on your list would allow
> people to focus on a topic at a time and get a big bang for buck.
> >Can you spin up a project and list to discuss as this is gold dust ?
> >Sent from my iPhone
> >On Oct 11, 2011, at 4:13 AM, Andrew van der Stock <vanderaj at owasp.org>
> >> One of the things I'd really like for the Top 10 2012 is to stop
> focusing on the things that went wrong in the previous 12 months, and start
> to concentrate on the Top 10 things to get right for the next five years.
> The existing Top 10 regularly gets incorporated without permission into
> various other standards, and it's 100% the wrong way around for that
> purpose. The Top 10 was never designed to be a standard.
> >> To address this, here's my short list (in order):
> >> Security Architecture (including incorporating agile ideas)
> >> Use a (more) secure development frameworks and leverage enterprise
> frameworks (UAG, etc)
> >> Input validation
> >> Output Encoding
> >> Identity: Authentication and Session Management
> >> Access Control (service / controller, data, URL, function / CSRF,
> presentation, etc)
> >> Data Protection (Data at rest, including in cloud)
> >> Audit, Logging and Error Handling
> >> Secure Configuration
> >> Secure Communications (Data in transit)
> >> All of the items must be testable. All items must be positively framed
> and eliminate entire CWE classes in their own right.
> >> Thoughts?
> >> thanks,
> >> Andrew
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >OWASP-Leaders mailing list
> >OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders