[Owasp-leaders] OWASP Top 10 list

Dirk Wetter dirk.wetter at owasp.org
Wed Oct 12 05:54:11 EDT 2011


Hi Dave,

my question was more why there's spam/malware on the list
and how people can succeed submitting this.

Best,

Dirk


Am 10/11/2011 08:42 PM, schrieb Dave Wichers:
> I believe that is actually THE top 10 list, which generally has very low
> traffic except when we are near update time, or after its been released for
> draft/final.
> 
> -Dave
> 
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dirk Wetter
> Sent: Tuesday, October 11, 2011 12:11 PM
> To: owasp-leaders at lists.owasp.org
> Cc: owasp-topten-owner at lists.owasp.org
> Subject: [Owasp-leaders] OWASP Top 10 list
> 
> 
> 
> BTW: Anybody know what's going on with this ([Owasp-topten]) list?
> 
> https://lists.owasp.org/pipermail/owasp-topten/2011-July/thread.html
> https://lists.owasp.org/pipermail/owasp-topten/2011-August/thread.html
> https://lists.owasp.org/pipermail/owasp-topten/2011-September/thread.html
> 
> 
> Cheers,
> 
> Dirk
> 
> 
> Am 10/11/2011 05:39 PM, schrieb AF:
>> Why is this discussion happening on the leaders list and not on the
> top10's?
>>
>> --
>> don't save the environment -> print more!
>> twitter: @starbuck3000
>> blog: http://cddb.ch
>>
>> Mark Curphey <mark at curphey.com> wrote:
>>
>>> AJV for Australian Prime Minister.....
>>>
>>> Seriously, great idea and would be very powerful as you say in making an
> impact on entire classes of issues and not specific vulnerabilities. 
>>>
>>> I think collapsing things like 3+4 and 7+10 on your list would allow
> people to focus on a topic at a time and get a big bang for buck. 
>>>
>>> Can you spin up a project and list to discuss as this is gold dust ?
>>>
>>> Sent from my iPhone
>>>
>>> On Oct 11, 2011, at 4:13 AM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>>>
>>>> One of the things I'd really like for the Top 10 2012 is to stop
> focusing on the things that went wrong in the previous 12 months, and start
> to concentrate on the Top 10 things to get right for the next five years.
> The existing Top 10 regularly gets incorporated without permission into
> various other standards, and it's 100% the wrong way around for that
> purpose. The Top 10 was never designed to be a standard. 
>>>>
>>>> To address this, here's my short list (in order):
>>>> Security Architecture (including incorporating agile ideas) Use a 
>>>> (more) secure development frameworks and leverage enterprise 
>>>> frameworks (UAG, etc) Input validation Output Encoding
>>>> Identity: Authentication and Session Management Access Control 
>>>> (service / controller, data, URL, function / CSRF, presentation, 
>>>> etc) Data Protection (Data at rest, including in cloud) Audit, 
>>>> Logging and Error Handling Secure Configuration Secure 
>>>> Communications (Data in transit) All of the items must be testable. 
>>>> All items must be positively framed and eliminate entire CWE classes in
> their own right.
>>>>
>>>> Thoughts?
>>>>
>>>> thanks,
>>>> Andrew
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 



More information about the OWASP-Leaders mailing list