[Owasp-leaders] OWASP Top 10 2012

Dirk Wetter dirk.wetter at owasp.org
Wed Oct 12 05:55:45 EDT 2011


Hi,

+1 for defenses. From the security perspective "controls" is probably
more accurate we need to sell this somehow to developers.

Moreover it fits good into the scheme attack / prevent / defend.

Cheers, Dirk


Am 10/11/2011 08:07 PM, schrieb psiinon:
> I think names are important, as I've indicated on another thread ;)
> The "Top 10 Proactive Controls" doesnt 'do' it for me, even though its
> an accurate description.
> How about the "Top 10 Defenses", with the 'old' top ten becoming
> something like the "Top 10 Vulnerabilities"?
> I can see the marketing bumpf now: "We implement ALL of the OWASP Top 10
> Defenses!"
> We could even have a "top 10 tools" and "top 10 cheatsheets" in the
> future...
> 
> I'll shut up now ;)
> 
> Simon
> 
> On Tue, Oct 11, 2011 at 6:45 PM, Chris Schmidt <chris.schmidt at owasp.org
> <mailto:chris.schmidt at owasp.org>> wrote:
> 
> 
> I think this is a fantastic idea as well - would you like to Guinea
> Pig your project on the new OWASP Projects Portal? :)
>  
> Here is what I have thus far for information:
>  
> 1) Project Name: OWASP Top 10 Proactive Controls
> 2) Project Purpose/Overview: Concentrate on the Top 10 things to get
> right for the next five years.
> 3) Project Roadmap:
> 4) Project License: CC-SA
> 5) Project Leader: Andrew van der Stock (vanderaj at owasp.org
> <mailto:vanderaj at owasp.org>)
> 6) Project Leader Sourceforge Account:
> 7) Project Contributers/Sourceforge Accounts:
>  
> Please complete the above and send it to projects at owasp.org
> <mailto:projects at owasp.org> and we will get it setup for you stat!
>  
> ~Chris
>  
>  
> On 10/11/2011 8:18 AM, Andrew van der Stock wrote:
>> These are all great ideas, but it's bed time for me as I have to
> get up in 5 hours time.
> 
>> In some ways, this proactive project is a perfect Level 1 ASVS
> starter criteria, leaving Levels 2-4 to cope with ever more
> increasing requirements.
> 
>> Although completely imperfect to me (and has been for years), there
> are many who probably would be very surprised / upset if every
> original OWASP Top 10 control changed between 2010 and 2012
> editions. So probably best to make a new project that doesn't
> distort the existing 2012 process or resulting document. Hopefully,
> the new proactive project can get some serious marketing oomph /
> promotion so as to get some traction outside of traditional OWASP
> Top 10 consumers.
> 
>> @Anyone on the projects committee - can you please help create a
> 
>> "OWASP Top 10 Proactive Controls"
> 
>> project and mail list? I will fill in any necessary electronic wiki
> bits and pieces, forms etc - but after I wake up.
> 
>> Although I like the idea of calling it "OWASP Appsec TODO:", the
> reality is that I want it to encompass the business folks, too, and
> they may not get the TODO: reference*.
> 
>> I've been looking for a graceful way to bow out of the Global
> Chapter Committee for a while whilst still remaining involved with
> OWASP, and I think I've just found it. The GCC meeting times are
> just too difficult for me to get to now that I don't work from home.
> This project sounds like a potentially very valuable project in its
> own right, particularly if we can coordinate with / revitalise the
> ASVS project.
> 
>> thanks,
>> Andrew
> 
>> * My code often has XXX: comments, but that's not suitable for a
> project title ;-)
> 
>> On 12/10/2011, at 12:54 AM, Venkatesh Jagannathan wrote:
> 
>>> I am *ALL* for this. Can we get a project started on this? You can
> count me in for contributing to this project :)
>>>
>>> Thanks & Regards,
>>> ~Venki
>>>
>>> On Tue, Oct 11, 2011 at 4:43 PM, Andrew van der Stock
> <vanderaj at owasp.org> <mailto:vanderaj at owasp.org> wrote:
>>>
>>> One of the things I'd really like for the Top 10 2012 is to stop
> focusing on the things that went wrong in the previous 12 months,
> and start to concentrate on the Top 10 things to get right for the
> next five years. The existing Top 10 regularly gets incorporated
> without permission into various other standards, and it's 100% the
> wrong way around for that purpose. The Top 10 was never designed to
> be a standard.
>>>
>>> To address this, here's my short list (in order):
>>>
>>> Security Architecture (including incorporating agile ideas)
>>> Use a (more) secure development frameworks and leverage enterprise
> frameworks (UAG, etc)
>>> Input validation
>>> Output Encoding
>>> Identity: Authentication and Session Management
>>> Access Control (service / controller, data, URL, function / CSRF,
> presentation, etc)
>>> Data Protection (Data at rest, including in cloud)
>>> Audit, Logging and Error Handling
>>> Secure Configuration
>>> Secure Communications (Data in transit)
>>>
>>> All of the items must be testable. All items must be positively
> framed and eliminate entire CWE classes in their own right.
>>>
>>> Thoughts?
>>>
>>> thanks,
>>> Andrew
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
> 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders




> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list