[Owasp-leaders] OWASP Top 10 2012
chris.schmidt at owasp.org
Tue Oct 11 13:45:49 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
I think this is a fantastic idea as well - would you like to Guinea Pig
your project on the new OWASP Projects Portal? :)
Here is what I have thus far for information:
1) Project Name: OWASP Top 10 Proactive Controls
2) Project Purpose/Overview: Concentrate on the Top 10 things to get
right for the next five years.
3) Project Roadmap:
4) Project License: CC-SA
5) Project Leader: Andrew van der Stock (vanderaj at owasp.org)
6) Project Leader Sourceforge Account:
7) Project Contributers/Sourceforge Accounts:
Please complete the above and send it to projects at owasp.org and we will
get it setup for you stat!
On 10/11/2011 8:18 AM, Andrew van der Stock wrote:
> These are all great ideas, but it's bed time for me as I have to get up
in 5 hours time.
> In some ways, this proactive project is a perfect Level 1 ASVS starter
criteria, leaving Levels 2-4 to cope with ever more increasing
> Although completely imperfect to me (and has been for years), there are
many who probably would be very surprised / upset if every original
OWASP Top 10 control changed between 2010 and 2012 editions. So probably
best to make a new project that doesn't distort the existing 2012
process or resulting document. Hopefully, the new proactive project can
get some serious marketing oomph / promotion so as to get some traction
outside of traditional OWASP Top 10 consumers.
> @Anyone on the projects committee - can you please help create a
> "OWASP Top 10 Proactive Controls"
> project and mail list? I will fill in any necessary electronic wiki
bits and pieces, forms etc - but after I wake up.
> Although I like the idea of calling it "OWASP Appsec TODO:", the
reality is that I want it to encompass the business folks, too, and they
may not get the TODO: reference*.
> I've been looking for a graceful way to bow out of the Global Chapter
Committee for a while whilst still remaining involved with OWASP, and I
think I've just found it. The GCC meeting times are just too difficult
for me to get to now that I don't work from home. This project sounds
like a potentially very valuable project in its own right, particularly
if we can coordinate with / revitalise the ASVS project.
> * My code often has XXX: comments, but that's not suitable for a
project title ;-)
> On 12/10/2011, at 12:54 AM, Venkatesh Jagannathan wrote:
>> I am *ALL* for this. Can we get a project started on this? You can
count me in for contributing to this project :)
>> Thanks & Regards,
>> On Tue, Oct 11, 2011 at 4:43 PM, Andrew van der Stock
<vanderaj at owasp.org> wrote:
>> One of the things I'd really like for the Top 10 2012 is to stop
focusing on the things that went wrong in the previous 12 months, and
start to concentrate on the Top 10 things to get right for the next five
years. The existing Top 10 regularly gets incorporated without
permission into various other standards, and it's 100% the wrong way
around for that purpose. The Top 10 was never designed to be a standard.
>> To address this, here's my short list (in order):
>> Security Architecture (including incorporating agile ideas)
>> Use a (more) secure development frameworks and leverage enterprise
frameworks (UAG, etc)
>> Input validation
>> Output Encoding
>> Identity: Authentication and Session Management
>> Access Control (service / controller, data, URL, function / CSRF,
>> Data Protection (Data at rest, including in cloud)
>> Audit, Logging and Error Handling
>> Secure Configuration
>> Secure Communications (Data in transit)
>> All of the items must be testable. All items must be positively framed
and eliminate entire CWE classes in their own right.
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders