[Owasp-leaders] Top 10 Software Security Design Flaws

Jim Manico jim.manico at owasp.org
Wed Aug 27 20:33:56 UTC 2014


This is very well thought out.

Even thought this doc talks about "security flaws" it's really written 
in developer-centric control language. This is a good read.

I am especially pleased to see these experts treat access control the 
way they did.

The OWASP Top Ten does not directly talk about access control design, 
but instead splits the topic out into (1) insecure direct object 
reference and (2) missing function based access control, which in my 
mind confuses developers more than anything else.

Talking about Access Control like...

http://cybersecurity.ieee.org/center-for-secure-design/authorize-after-you-authenticate.html

... is much more powerful, I think.

I added this reference to item #4 of the OWASP Proactive Controls, FWIW, 
which is a project closer to the spirit of this doc. 
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls

Aloha,
Jim




On 8/27/14, 12:52 PM, Tom Brennan wrote:
> Released today from IEEE Avoiding the Top 10 Software Security Design
> Flaws is released under the Creative Commons Attribution-ShareAlike
> 3.0 license
>
> http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html
>
> Enjoy.
>
>



More information about the OWASP-Leaders mailing list