[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Dennis Groves dennis.groves at owasp.org
Sat Mar 16 21:02:12 UTC 2013


On 16 Mar 2013, at 14:27, Dave Wichers wrote:

> Years ago, the PCI guys flat out told me that if DOS was added back 
> into the Top 10, they'd ignore that requirement.

Well, its important to know that since they are a fairly important 
stakeholder.

> That said, I don't think we should let that stand in our way of doing 
> what's right for the overall community. If PCI doesn't like it, they 
> can say Top 10, less DDOS, or whatever. I'm sure they can figure that 
> out.

However, this isn't 2004 anymore. If it belongs it belongs.

I just happen to believe that it does not belong at this time… I think 
it is a communication problem, which is to say that the **control is 
best managed at the network layer**.

This is not to say that I don't believe in defence in depth, or that if 
you can build controls into an application (AppSensor) that can detect, 
respond or reduce the threat that you shouldn't. Or that reDoS and other 
kinds of resource exhaustion against applications doesn't exist.

It is that we have bigger problems! Most applications never practice 
containment or separation of duty. Applications are the business logic, 
identity management, key management, access control and policy 
enforcement points! Talk about putting all your eggs into a single 
basket. It is no wonder that when hackers identify a flaw they have a 
"root." I think this is far more serious an issue than application DoS.

Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer


More information about the OWASP-Leaders mailing list