[Owasp-leaders] OWASP Top Ten - Security Controls?

Jim Manico jim.manico at owasp.org
Tue Feb 19 12:59:19 UTC 2013

Don't worry man, I'm not trying to lock this down by releasing an
un-editable PDF or something to that effect. I'll get this on the wiki so
we can work on this as a community. If I'm slowing you down, let me know
and I'll move faster or find a way to work with you sooner.


Jim Manico
(808) 652-3805

On Feb 19, 2013, at 9:54 PM, psiinon <psiinon at gmail.com> wrote:


On Tue, Feb 19, 2013 at 12:51 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I agree, I'm almost done with the first version of it. I call it the
> "OWASP Top Ten Proactive Controls" and have a few folks working on it with
> me (and leveraged much of the cheat sheet
> content for it).
> My goal is to release an early version in -wiki form- next month and will
> then seek community feedback and edits.
> Cool?
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 19, 2013, at 6:39 PM, psiinon <psiinon at gmail.com> wrote:
> OK, spurious suggestion time...
> How about a new project, the OWASP Top Ten Web Application Security
> Controls?
> How is this different from the Secure Coding Practices Quick Reference
> Guide Project and Secure Coding Cheat Sheet?
> Probably not very - I'd expect a lot of similarities between the content!
> So why do it?
> Well, the OWASP Top Ten Web Application Security Risks is by far the most
> well known and successful OWASP project.
> Can we piggy back on this format to make the defences as visible as the
> existing Top Ten has made the risks?
> I realise we have to be careful not to dilute the impact of the existing
> top ten - a dozen different OWASP Top Ten projects would be counter
> productive.
> But I think we can justify this one as its a direct response to the risks.
> If it gets anything like the publicity that the current Top Ten gets then
> it could have a significant impact.
> And it can (should) still refer to all of the other relevant projects,
> like the Developers Guide and the other 2 mentioned above.
> Just think - lots of security companies claim their products protect you
> against the "OWASP Top Ten (Security Risks)" (lets not debate how true that
> actually is in this thread;).
> Imagine if frameworks boasted that they include all the "OWASP Top Ten
> Security Controls", or if customers started asking their suppliers if they
> use them all...
> Thoughts?
> Simon
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/a23924f3/attachment-0001.html>

More information about the OWASP-Leaders mailing list