[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Neil Smithline neil.smithline at owasp.org
Mon Mar 18 01:48:53 UTC 2013

I understand why PCI doesn't care about DOS. PCI is designed to protect
credit card fraud. That involves confidentiality and integrity but not
availability. From the PCI viewpoint, availability is simply a business
requirement that some of their customers will bother with and others won't.

I do think that the list of organizations that endorse, utilize, or support
the T10 is important. The ultimate T10 is of little use if it has low
readership. IMO, that list of organizations is a big factor in it's success.

On Sat, Mar 16, 2013 at 10:27 AM, Dave Wichers <dave.wichers at owasp.org>wrote:

> Years ago, the PCI guys flat out told me that if DOS was added back into
> the Top 10, they'd ignore that requirement.
> That said, I don't think we should let that stand in our way of doing
> what's right for the overall community. If PCI doesn't like it, they can
> say Top 10, less DDOS, or whatever. I'm sure they can figure that out.
> -Dave
> -----Original Message-----
> From: Brian Bertacini [mailto:brian at appsecconsulting.com]
> Sent: Friday, March 15, 2013 7:04 PM
> To: 'Dennis Groves'; 'Dave Wichers'
> Cc: 'Daniel Clemens'; 'OWASP TopTen'; 'OWASP Leaders'
> Subject: RE: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
> There has been valuable discussion around the OWASP Top 10 Methodology.  I
> believe the Top 10 list became popular overnight after being referenced in
> the PCI DSS several years ago.  One area of debate for this discussion is
> that organizations will potentially change their business processes in
> order to support the new and improved OWASP Top 10 (to comply with industry
> standards).  Considering PCI DSS is only concerned with one pillar of
> security (Confidentiality), what impact would application DOS have on
> organizations working to comply with industry standards like this?  PCI
> doesn't care about DDOS (availability), however, merchants and service
> providers subject to comply with the standard are greatly concerned as it
> can impact revenue, operations, and customer service.
> To this point, I suggest the methodology clearly spell out if it addresses
> all 3 pillars of security or a subset.
> My $.02,
> Brian Bertacini, PCI-QSA
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dennis Groves
> Sent: Friday, March 15, 2013 1:12 PM
> To: Dave Wichers
> Cc: Daniel Clemens; OWASP TopTen; OWASP Leaders
> Subject: Re: [Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology
> On 15 Mar 2013, at 14:59, Dave Wichers wrote:
> > It's fun that we have disagreement :-)
> >
> > That's why we are trying to back up the position with some publicly
> > available facts.
> >
> > Note: I'm not for or against this, I'm waiting to see if we as a
> > community can come up with a defendable position one way or the other.
> I actually couldn't agree more Dave, that is why I believe in the "OWASP
> Top 10 Community Edition".
> I also don't have a position - I am just playing the devils advocate to
> ensure a good debate happens. This is *FUN* and essential to a healthy
> community. Think of it as intellectual darwinianism. What is actually
> important is to have community debate the different positions and find the
> data to support their positions. To often in security we read tea leaves,
> it isn't that our gut instinct is wrong - it is that there is a difference
> between what you know and having evidence for what you know.
> Dennis
> > On Mar 14, 2013, at 3:56 PM, Dennis Groves wrote:
> >
> >> I don't see how Application DOS could possibly be in the Top 10.
> >
> > +100; totally agree.
> --
> [Dennis Groves](http://about.me/dennis.groves), MSc [Email me](mailto:
> dennis.groves at owasp.org) or [schedule a meeting](http://goo.gl/8sPIy).
> *This email is licensed under a [CC BY-ND
> 3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
> **Please do not send me Microsoft Office/Apple iWork documents.** Send
> [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
> Stand up for your freedom to install [free software](
> http://www.fsf.org/campaigns/secure-boot/statement).
> > The idea that some lives matter less is the root of all that’s wrong
> > with the world. -- Paul Farmer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130317/ec6154da/attachment.html>

More information about the OWASP-Leaders mailing list