[Owasp-leaders] Top 10 Software Security Design Flaws

Michael Coates michael.coates at owasp.org
Wed Aug 27 22:00:48 UTC 2014


Was at the event last night when it was unveiled here in SF. Good group of
people and always good to see more focus on security. I haven't read
through and digested it all yet. But I do like looking at the higher level
of flaws versus implementation bugs.


--
Michael Coates
Chairman, OWASP Board
@_mwc



On Wed, Aug 27, 2014 at 1:33 PM, Jim Manico <jim.manico at owasp.org> wrote:

> This is very well thought out.
>
> Even thought this doc talks about "security flaws" it's really written in
> developer-centric control language. This is a good read.
>
> I am especially pleased to see these experts treat access control the way
> they did.
>
> The OWASP Top Ten does not directly talk about access control design, but
> instead splits the topic out into (1) insecure direct object reference and
> (2) missing function based access control, which in my mind confuses
> developers more than anything else.
>
> Talking about Access Control like...
>
> http://cybersecurity.ieee.org/center-for-secure-design/
> authorize-after-you-authenticate.html
>
> ... is much more powerful, I think.
>
> I added this reference to item #4 of the OWASP Proactive Controls, FWIW,
> which is a project closer to the spirit of this doc.
> https://www.owasp.org/index.php/OWASP_Proactive_Controls#
> tab=OWASP_Top_Ten_Proactive_Controls
>
> Aloha,
> Jim
>
>
>
>
>
> On 8/27/14, 12:52 PM, Tom Brennan wrote:
>
>> Released today from IEEE Avoiding the Top 10 Software Security Design
>> Flaws is released under the Creative Commons Attribution-ShareAlike
>> 3.0 license
>>
>> http://cybersecurity.ieee.org/center-for-secure-design/
>> avoiding-the-top-10-security-flaws.html
>>
>> Enjoy.
>>
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140827/cc07652e/attachment.html>


More information about the OWASP-Leaders mailing list