[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
dennis.groves at owasp.org
Sat Mar 16 21:02:12 UTC 2013
On 16 Mar 2013, at 14:27, Dave Wichers wrote:
> Years ago, the PCI guys flat out told me that if DOS was added back
> into the Top 10, they'd ignore that requirement.
Well, its important to know that since they are a fairly important
> That said, I don't think we should let that stand in our way of doing
> what's right for the overall community. If PCI doesn't like it, they
> can say Top 10, less DDOS, or whatever. I'm sure they can figure that
However, this isn't 2004 anymore. If it belongs it belongs.
I just happen to believe that it does not belong at this time… I think
it is a communication problem, which is to say that the **control is
best managed at the network layer**.
This is not to say that I don't believe in defence in depth, or that if
you can build controls into an application (AppSensor) that can detect,
respond or reduce the threat that you shouldn't. Or that reDoS and other
kinds of resource exhaustion against applications doesn't exist.
It is that we have bigger problems! Most applications never practice
containment or separation of duty. Applications are the business logic,
identity management, key management, access control and policy
enforcement points! Talk about putting all your eggs into a single
basket. It is no wonder that when hackers identify a flaw they have a
"root." I think this is far more serious an issue than application DoS.
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
*This email is licensed under a [CC BY-ND
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
More information about the OWASP-Leaders