[Owasp-leaders] OWASP Top 10 2012

psiinon psiinon at gmail.com
Tue Oct 11 14:07:03 EDT 2011


I think names are important, as I've indicated on another thread ;)
The "Top 10 Proactive Controls" doesnt 'do' it for me, even though its an
accurate description.
How about the "Top 10 Defenses", with the 'old' top ten becoming something
like the "Top 10 Vulnerabilities"?
I can see the marketing bumpf now: "We implement ALL of the OWASP Top 10
Defenses!"
We could even have a "top 10 tools" and "top 10 cheatsheets" in the
future...

I'll shut up now ;)

Simon

On Tue, Oct 11, 2011 at 6:45 PM, Chris Schmidt <chris.schmidt at owasp.org>wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think this is a fantastic idea as well - would you like to Guinea Pig
> your project on the new OWASP Projects Portal? :)
>
> Here is what I have thus far for information:
>
> 1) Project Name: OWASP Top 10 Proactive Controls
> 2) Project Purpose/Overview: Concentrate on the Top 10 things to get right
> for the next five years.
> 3) Project Roadmap:
> 4) Project License: CC-SA
> 5) Project Leader: Andrew van der Stock (vanderaj at owasp.org)
> 6) Project Leader Sourceforge Account:
> 7) Project Contributers/Sourceforge Accounts:
>
> Please complete the above and send it to projects at owasp.org and we will
> get it setup for you stat!
>
> ~Chris
>
>
> On 10/11/2011 8:18 AM, Andrew van der Stock wrote:
> > These are all great ideas, but it's bed time for me as I have to get up
> in 5 hours time.
> >
> > In some ways, this proactive project is a perfect Level 1 ASVS starter
> criteria, leaving Levels 2-4 to cope with ever more increasing requirements.
>
> >
> > Although completely imperfect to me (and has been for years), there are
> many who probably would be very surprised / upset if every original OWASP
> Top 10 control changed between 2010 and 2012 editions. So probably best to
> make a new project that doesn't distort the existing 2012 process or
> resulting document. Hopefully, the new proactive project can get some
> serious marketing oomph / promotion so as to get some traction outside of
> traditional OWASP Top 10 consumers.
> >
> > @Anyone on the projects committee - can you please help create a
> >
> > "OWASP Top 10 Proactive Controls"
> >
> > project and mail list? I will fill in any necessary electronic wiki bits
> and pieces, forms etc - but after I wake up.
> >
> > Although I like the idea of calling it "OWASP Appsec TODO:", the reality
> is that I want it to encompass the business folks, too, and they may not get
> the TODO: reference*.
> >
> > I've been looking for a graceful way to bow out of the Global Chapter
> Committee for a while whilst still remaining involved with OWASP, and I
> think I've just found it. The GCC meeting times are just too difficult for
> me to get to now that I don't work from home. This project sounds like a
> potentially very valuable project in its own right, particularly if we can
> coordinate with / revitalise the ASVS project.
> >
> > thanks,
> > Andrew
> >
> > * My code often has XXX: comments, but that's not suitable for a project
> title ;-)
> >
> > On 12/10/2011, at 12:54 AM, Venkatesh Jagannathan wrote:
> >
> >> I am *ALL* for this. Can we get a project started on this? You can count
> me in for contributing to this project :)
> >>
> >> Thanks & Regards,
> >> ~Venki
> >>
> >> On Tue, Oct 11, 2011 at 4:43 PM, Andrew van der Stock
> <vanderaj at owasp.org> <vanderaj at owasp.org> wrote:
> >>
> >> One of the things I'd really like for the Top 10 2012 is to stop
> focusing on the things that went wrong in the previous 12 months, and start
> to concentrate on the Top 10 things to get right for the next five years.
> The existing Top 10 regularly gets incorporated without permission into
> various other standards, and it's 100% the wrong way around for that
> purpose. The Top 10 was never designed to be a standard.
> >>
> >> To address this, here's my short list (in order):
> >>
> >> Security Architecture (including incorporating agile ideas)
> >> Use a (more) secure development frameworks and leverage enterprise
> frameworks (UAG, etc)
> >> Input validation
> >> Output Encoding
> >> Identity: Authentication and Session Management
> >> Access Control (service / controller, data, URL, function / CSRF,
> presentation, etc)
> >> Data Protection (Data at rest, including in cloud)
> >> Audit, Logging and Error Handling
> >> Secure Configuration
> >> Secure Communications (Data in transit)
> >>
> >> All of the items must be testable. All items must be positively framed
> and eliminate entire CWE classes in their own right.
> >>
> >> Thoughts?
> >>
> >> thanks,
> >> Andrew
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOlIDNAAoJEEOkVJOBy86By24H/REh8uQ6Q3fvQcep/hLfnZE8
> hExOSbCxBBeZYaXMpgL2K/sh+KtEADySMZIzgOkFzRcUSlH9xAtys8sah3rNTBVL
> 1qffo4bTV761DZQWVkA317LIpWE9kikjoeBE9LDU0t3KfXuWhvVpTTIUq912JaAX
> GPZ9qZ8Mhji6yT5lpIEChizchHuBXT4VmvKrJ92NsqyH9VbW2+r1hD+Dp5sa6fZY
> yA6NCoajpcGgR+ptb1ZN/OOH2p1xcNsk/JatG1hIFjtnC04vAS7SYwfcA67GdADX
> ne8wVZeAHI/gMBrXhKtFsIUZ9nVUNpQDxw/JCLq9ZsIQ6oijqPjDgp64Yt5uqVU=
> =vag/
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111011/ebc636e5/attachment-0001.html 


More information about the OWASP-Leaders mailing list