[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Dave Wichers dave.wichers at owasp.org
Sat Mar 16 14:27:28 UTC 2013

Years ago, the PCI guys flat out told me that if DOS was added back into the Top 10, they'd ignore that requirement.

That said, I don't think we should let that stand in our way of doing what's right for the overall community. If PCI doesn't like it, they can say Top 10, less DDOS, or whatever. I'm sure they can figure that out.


-----Original Message-----
From: Brian Bertacini [mailto:brian at appsecconsulting.com] 
Sent: Friday, March 15, 2013 7:04 PM
To: 'Dennis Groves'; 'Dave Wichers'
Cc: 'Daniel Clemens'; 'OWASP TopTen'; 'OWASP Leaders'
Subject: RE: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

There has been valuable discussion around the OWASP Top 10 Methodology.  I believe the Top 10 list became popular overnight after being referenced in the PCI DSS several years ago.  One area of debate for this discussion is that organizations will potentially change their business processes in order to support the new and improved OWASP Top 10 (to comply with industry standards).  Considering PCI DSS is only concerned with one pillar of security (Confidentiality), what impact would application DOS have on organizations working to comply with industry standards like this?  PCI doesn't care about DDOS (availability), however, merchants and service providers subject to comply with the standard are greatly concerned as it can impact revenue, operations, and customer service.  

To this point, I suggest the methodology clearly spell out if it addresses all 3 pillars of security or a subset.  

My $.02,
Brian Bertacini, PCI-QSA

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dennis Groves
Sent: Friday, March 15, 2013 1:12 PM
To: Dave Wichers
Cc: Daniel Clemens; OWASP TopTen; OWASP Leaders
Subject: Re: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

On 15 Mar 2013, at 14:59, Dave Wichers wrote:

> It's fun that we have disagreement :-)
> That's why we are trying to back up the position with some publicly 
> available facts.
> Note: I'm not for or against this, I'm waiting to see if we as a 
> community can come up with a defendable position one way or the other.

I actually couldn't agree more Dave, that is why I believe in the "OWASP Top 10 Community Edition".

I also don't have a position - I am just playing the devils advocate to ensure a good debate happens. This is *FUN* and essential to a healthy community. Think of it as intellectual darwinianism. What is actually important is to have community debate the different positions and find the data to support their positions. To often in security we read tea leaves, it isn't that our gut instinct is wrong - it is that there is a difference between what you know and having evidence for what you know.


> On Mar 14, 2013, at 3:56 PM, Dennis Groves wrote:
>> I don't see how Application DOS could possibly be in the Top 10.
> +100; totally agree.

[Dennis Groves](http://about.me/dennis.groves), MSc [Email me](mailto:dennis.groves at owasp.org) or [schedule a meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.** Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list