[Owasp-leaders] OWASP Top 10 list

Dave Wichers dave.wichers at owasp.org
Tue Oct 11 14:42:57 EDT 2011


I believe that is actually THE top 10 list, which generally has very low
traffic except when we are near update time, or after its been released for
draft/final.

-Dave

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dirk Wetter
Sent: Tuesday, October 11, 2011 12:11 PM
To: owasp-leaders at lists.owasp.org
Cc: owasp-topten-owner at lists.owasp.org
Subject: [Owasp-leaders] OWASP Top 10 list



BTW: Anybody know what's going on with this ([Owasp-topten]) list?

https://lists.owasp.org/pipermail/owasp-topten/2011-July/thread.html
https://lists.owasp.org/pipermail/owasp-topten/2011-August/thread.html
https://lists.owasp.org/pipermail/owasp-topten/2011-September/thread.html


Cheers,

Dirk


Am 10/11/2011 05:39 PM, schrieb AF:
> Why is this discussion happening on the leaders list and not on the
top10's?
> 
> --
> don't save the environment -> print more!
> twitter: @starbuck3000
> blog: http://cddb.ch
> 
> Mark Curphey <mark at curphey.com> wrote:
> 
>> AJV for Australian Prime Minister.....
>>
>> Seriously, great idea and would be very powerful as you say in making an
impact on entire classes of issues and not specific vulnerabilities. 
>>
>> I think collapsing things like 3+4 and 7+10 on your list would allow
people to focus on a topic at a time and get a big bang for buck. 
>>
>> Can you spin up a project and list to discuss as this is gold dust ?
>>
>> Sent from my iPhone
>>
>> On Oct 11, 2011, at 4:13 AM, Andrew van der Stock <vanderaj at owasp.org>
wrote:
>>
>>> One of the things I'd really like for the Top 10 2012 is to stop
focusing on the things that went wrong in the previous 12 months, and start
to concentrate on the Top 10 things to get right for the next five years.
The existing Top 10 regularly gets incorporated without permission into
various other standards, and it's 100% the wrong way around for that
purpose. The Top 10 was never designed to be a standard. 
>>>
>>> To address this, here's my short list (in order):
>>> Security Architecture (including incorporating agile ideas) Use a 
>>> (more) secure development frameworks and leverage enterprise 
>>> frameworks (UAG, etc) Input validation Output Encoding
>>> Identity: Authentication and Session Management Access Control 
>>> (service / controller, data, URL, function / CSRF, presentation, 
>>> etc) Data Protection (Data at rest, including in cloud) Audit, 
>>> Logging and Error Handling Secure Configuration Secure 
>>> Communications (Data in transit) All of the items must be testable. 
>>> All items must be positively framed and eliminate entire CWE classes in
their own right.
>>>
>>> Thoughts?
>>>
>>> thanks,
>>> Andrew
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list