[Owasp-leaders] OWASP Top Ten - Security Controls?

psiinon psiinon at gmail.com
Tue Feb 19 09:38:33 UTC 2013


OK, spurious suggestion time...

How about a new project, the OWASP Top Ten Web Application Security
Controls?

How is this different from the Secure Coding Practices Quick Reference
Guide Project and Secure Coding Cheat Sheet?
Probably not very - I'd expect a lot of similarities between the content!

So why do it?
Well, the OWASP Top Ten Web Application Security Risks is by far the most
well known and successful OWASP project.
Can we piggy back on this format to make the defences as visible as the
existing Top Ten has made the risks?
I realise we have to be careful not to dilute the impact of the existing
top ten - a dozen different OWASP Top Ten projects would be counter
productive.
But I think we can justify this one as its a direct response to the risks.

If it gets anything like the publicity that the current Top Ten gets then
it could have a significant impact.
And it can (should) still refer to all of the other relevant projects, like
the Developers Guide and the other 2 mentioned above.

Just think - lots of security companies claim their products protect you
against the "OWASP Top Ten (Security Risks)" (lets not debate how true that
actually is in this thread;).
Imagine if frameworks boasted that they include all the "OWASP Top Ten
Security Controls", or if customers started asking their suppliers if they
use them all...

Thoughts?

Simon

-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/9047ee4e/attachment.html>


More information about the OWASP-Leaders mailing list