[Owasp-leaders] OWASP Top Ten - Security Controls?

psiinon psiinon at gmail.com
Tue Feb 19 13:02:54 UTC 2013

No, thats good :)
I was throwing this out as a suggestion - (sorry if you mentioned this
before) - I've got way too much to do to lead another project!
I'm happy to wait for you to get the first version onto the wiki and will
then chip in with any suggestions I have.
I'm delighted that the project is well under way!



On Tue, Feb 19, 2013 at 12:59 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Don't worry man, I'm not trying to lock this down by releasing an
> un-editable PDF or something to that effect. I'll get this on the wiki so
> we can work on this as a community. If I'm slowing you down, let me know
> and I'll move faster or find a way to work with you sooner.
> Cool?
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 19, 2013, at 9:54 PM, psiinon <psiinon at gmail.com> wrote:
> WFM :D
> On Tue, Feb 19, 2013 at 12:51 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I agree, I'm almost done with the first version of it. I call it the
>> "OWASP Top Ten Proactive Controls" and have a few folks working on it with
>> me (and leveraged much of the cheat sheet
>> content for it).
>> My goal is to release an early version in -wiki form- next month and will
>> then seek community feedback and edits.
>> Cool?
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Feb 19, 2013, at 6:39 PM, psiinon <psiinon at gmail.com> wrote:
>> OK, spurious suggestion time...
>> How about a new project, the OWASP Top Ten Web Application Security
>> Controls?
>> How is this different from the Secure Coding Practices Quick Reference
>> Guide Project and Secure Coding Cheat Sheet?
>> Probably not very - I'd expect a lot of similarities between the content!
>> So why do it?
>> Well, the OWASP Top Ten Web Application Security Risks is by far the most
>> well known and successful OWASP project.
>> Can we piggy back on this format to make the defences as visible as the
>> existing Top Ten has made the risks?
>> I realise we have to be careful not to dilute the impact of the existing
>> top ten - a dozen different OWASP Top Ten projects would be counter
>> productive.
>> But I think we can justify this one as its a direct response to the risks.
>> If it gets anything like the publicity that the current Top Ten gets then
>> it could have a significant impact.
>> And it can (should) still refer to all of the other relevant projects,
>> like the Developers Guide and the other 2 mentioned above.
>> Just think - lots of security companies claim their products protect you
>> against the "OWASP Top Ten (Security Risks)" (lets not debate how true that
>> actually is in this thread;).
>> Imagine if frameworks boasted that they include all the "OWASP Top Ten
>> Security Controls", or if customers started asking their suppliers if they
>> use them all...
>> Thoughts?
>> Simon
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130219/2ebc93b3/attachment.html>

More information about the OWASP-Leaders mailing list