[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
rd at rd1.net
Sat Mar 16 16:09:01 UTC 2013
I agree that DDOS doesn't belong as an application Top 10, but simple DOS attacks like the slow post attack is something I'm still setting many Web apps and services vulnerable. In fact the majority of them from my limited count. Since the fix is generally made in the Web server software, I think it should be considered for the Top 10. This vulnerability in particular seems to not be getting the awareness that it needs.
-- Ralph Durkee
Dave Wichers <dave.wichers at owasp.org> wrote:
>Years ago, the PCI guys flat out told me that if DOS was added back
>into the Top 10, they'd ignore that requirement.
>That said, I don't think we should let that stand in our way of doing
>what's right for the overall community. If PCI doesn't like it, they
>can say Top 10, less DDOS, or whatever. I'm sure they can figure that
>From: Brian Bertacini [mailto:brian at appsecconsulting.com]
>Sent: Friday, March 15, 2013 7:04 PM
>To: 'Dennis Groves'; 'Dave Wichers'
>Cc: 'Daniel Clemens'; 'OWASP TopTen'; 'OWASP Leaders'
>Subject: RE: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
>There has been valuable discussion around the OWASP Top 10 Methodology.
>I believe the Top 10 list became popular overnight after being
>referenced in the PCI DSS several years ago. One area of debate for
>this discussion is that organizations will potentially change their
>business processes in order to support the new and improved OWASP Top
>10 (to comply with industry standards). Considering PCI DSS is only
>concerned with one pillar of security (Confidentiality), what impact
>would application DOS have on organizations working to comply with
>industry standards like this? PCI doesn't care about DDOS
>(availability), however, merchants and service providers subject to
>comply with the standard are greatly concerned as it can impact
>revenue, operations, and customer service.
>To this point, I suggest the methodology clearly spell out if it
>addresses all 3 pillars of security or a subset.
>Brian Bertacini, PCI-QSA
>From: owasp-leaders-bounces at lists.owasp.org
>[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dennis
>Sent: Friday, March 15, 2013 1:12 PM
>To: Dave Wichers
>Cc: Daniel Clemens; OWASP TopTen; OWASP Leaders
>Subject: Re: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
>On 15 Mar 2013, at 14:59, Dave Wichers wrote:
>> It's fun that we have disagreement :-)
>> That's why we are trying to back up the position with some publicly
>> available facts.
>> Note: I'm not for or against this, I'm waiting to see if we as a
>> community can come up with a defendable position one way or the
>I actually couldn't agree more Dave, that is why I believe in the
>"OWASP Top 10 Community Edition".
>I also don't have a position - I am just playing the devils advocate to
>ensure a good debate happens. This is *FUN* and essential to a healthy
>community. Think of it as intellectual darwinianism. What is actually
>important is to have community debate the different positions and find
>the data to support their positions. To often in security we read tea
>leaves, it isn't that our gut instinct is wrong - it is that there is a
>difference between what you know and having evidence for what you know.
>> On Mar 14, 2013, at 3:56 PM, Dennis Groves wrote:
>>> I don't see how Application DOS could possibly be in the Top 10.
>> +100; totally agree.
>[Dennis Groves](http://about.me/dennis.groves), MSc [Email
>me](mailto:dennis.groves at owasp.org) or [schedule a
>*This email is licensed under a [CC BY-ND
>**Please do not send me Microsoft Office/Apple iWork documents.** Send
>Stand up for your freedom to install [free
>> The idea that some lives matter less is the root of all that’s wrong
>> with the world. -- Paul Farmer
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>Owasp-topten mailing list
>Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders