[Owasp-leaders] OWASP Top 10 2012

psiinon psiinon at gmail.com
Tue Oct 11 11:56:20 EDT 2011


I think its a good thing this discussion was on the leaders list :)
I think we've essentially identified at least one and possibly more high
profile projects that are desperately needed.
I dont know if that would have happened if this was on the top10 list, I
certainly wouldnt have got involved (and I'm not claiming I really
contributed anything apart from strong support;).
However there details of these projects can definitely be discussed on the
(relevant possibly new) lists.

Cheers,

Simon


On Tue, Oct 11, 2011 at 4:39 PM, AF <antonio.fontes at gmail.com> wrote:

> Why is this discussion happening on the leaders list and not on the
> top10's?
>
> --
> don't save the environment -> print more!
> twitter: @starbuck3000
> blog: http://cddb.ch
>
> Mark Curphey <mark at curphey.com> wrote:
>
> >AJV for Australian Prime Minister.....
> >
> >Seriously, great idea and would be very powerful as you say in making an
> impact on entire classes of issues and not specific vulnerabilities.
> >
> >I think collapsing things like 3+4 and 7+10 on your list would allow
> people to focus on a topic at a time and get a big bang for buck.
> >
> >Can you spin up a project and list to discuss as this is gold dust ?
> >
> >Sent from my iPhone
> >
> >On Oct 11, 2011, at 4:13 AM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
> >
> >> One of the things I'd really like for the Top 10 2012 is to stop
> focusing on the things that went wrong in the previous 12 months, and start
> to concentrate on the Top 10 things to get right for the next five years.
> The existing Top 10 regularly gets incorporated without permission into
> various other standards, and it's 100% the wrong way around for that
> purpose. The Top 10 was never designed to be a standard.
> >>
> >> To address this, here's my short list (in order):
> >> Security Architecture (including incorporating agile ideas)
> >> Use a (more) secure development frameworks and leverage enterprise
> frameworks (UAG, etc)
> >> Input validation
> >> Output Encoding
> >> Identity: Authentication and Session Management
> >> Access Control (service / controller, data, URL, function / CSRF,
> presentation, etc)
> >> Data Protection (Data at rest, including in cloud)
> >> Audit, Logging and Error Handling
> >> Secure Configuration
> >> Secure Communications (Data in transit)
> >> All of the items must be testable. All items must be positively framed
> and eliminate entire CWE classes in their own right.
> >>
> >> Thoughts?
> >>
> >> thanks,
> >> Andrew
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >_______________________________________________
> >OWASP-Leaders mailing list
> >OWASP-Leaders at lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111011/88506e58/attachment-0001.html 


More information about the OWASP-Leaders mailing list