<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    As a side-note and some food for thought, the following is taken
    directly from the ESAPI Roadmap
    (<a class="moz-txt-link-freetext" href="http://esapi.org/2011/10/esapi-roadmap/">http://esapi.org/2011/10/esapi-roadmap/</a>) that I published last
    night<br>
    <strong><br>
    </strong>---] SNIP [---<br>
    <br>
    <strong>How-To Video Series</strong>- Similar to the Cheat Sheet
    Series, with more of a tutorial aspect to it. <u>The How-to series
      will focus on the OWASP Top-Ten</u> and will include a full &nbsp;&nbsp;
    walkthrough of mitigating real-world issues (ie. the kind that a
    developer would see on a PCI Scan Report) using ESAPI. Transcripts
    will be available for these videos as well.<br>
    <br>
    ---] SNIP [---<br>
    <br>
    I have underlined the extremely relevant part of the deliverable.
    Perhaps some cross-pollination between T10 and ESAPI can be done to
    make this happen.<br>
    <br>
    On 10/7/2011 4:26 PM, Tony UcedaVelez wrote:
    <blockquote cite="mid:4666190225731004542@unknownmsgid" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">All&nbsp;
        good thoughts, but the choice comments made this far IMHO is
        around the ecosystem idea around the OWASP Top 10. Building from
        this idea I would like to propose the following, Attack &amp;
        Countermeasure Vignettes&nbsp; for the OWASP Top 10. After all - as
        many have already said and undoubtedly recognize, people
        appreciate the Top 10, but they want greater specifics on
        understanding the steps to realize these attacks against the
        myriad of dev technologies that are out there. They also want to
        obviously understand how to mitigate them in their respective
        dev technologies. These vignettes could be a part if that
        ecosystem that Chris alluded to earlier and further other
        satellite projects that are exustent and maturing (training,
        cheat sheets, etc) as well as those that have just begun (threat
        modeling). Further, the myriad of OWASP tools could also be used
        to apply some if the attack patterns within the various
        vignettes. <br>
        <br>
        MITRE is developing a similar effort, but more focused by
        industry but the point is is that this would build off if the
        OWASP Top 10 while addressing specific countermeasures per dev
        language. <br>
        <br>
        Open for bashing or backslaps or anything in between as
        feedback.<br>
        <br>
        Tony UV<br>
        <br>
        Sent from my x Phone</div>
      <hr>
      <span style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY:
        Tahoma,sans-serif">From: </span><span style="FONT-SIZE: 10pt;
        FONT-FAMILY: Tahoma,sans-serif">Chris Schmidt</span><br>
      <span style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY:
        Tahoma,sans-serif">Sent: </span><span style="FONT-SIZE: 10pt;
        FONT-FAMILY: Tahoma,sans-serif">Friday, October 07, 2011 12:08
        PM</span><br>
      <span style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY:
        Tahoma,sans-serif">To: </span><span style="FONT-SIZE: 10pt;
        FONT-FAMILY: Tahoma,sans-serif"><a moz-do-not-send="true"
          href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a></span><br>
      <span style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY:
        Tahoma,sans-serif">Subject: </span><span style="FONT-SIZE:
        10pt; FONT-FAMILY: Tahoma,sans-serif">Re: [Owasp-leaders] OWASP
        Top 10 2012</span><br>
      <br>
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      Precisely why I think an ecosystem built around the T10 project
      would be a more lucrative direction. There are around 600
      "notable" programming languages in existence (<a
        moz-do-not-send="true" class="moz-txt-link-freetext"
        href="http://en.wikipedia.org/wiki/List_of_programming_languages">http://en.wikipedia.org/wiki/List_of_programming_languages</a>)
      and you can guarantee that it is only a matter of time before
      someone (as a really bad prank) decides to release the OWASP Top
      10 Common for Brainstab wrapping ASMx86 backed by C++ as a
      back-end component to Grails fronted JavaEE web application
      utilizing JNI to reference a C++ wrapper of a Perl business layer.
      <br>
      <br>
      On 10/7/2011 10:02 AM, Mark Curphey wrote:
      <blockquote
        cite="mid:A680BA53-55B9-40DE-A4E6-2171CF63C3A5@curphey.com"
        type="cite">
        <div>Just throw in fuel need to be careful with terms of
          language and framework. The .net clr supports 10+ languages
          (c# the big dog but ruby, pascal and all sorts)<br>
          <br>
          Sent from my iPhone</div>
        <div><br>
          On Oct 7, 2011, at 8:54 AM, Wong Onn Chee &lt;<a
            moz-do-not-send="true" href="mailto:ocwong@usa.net">ocwong@usa.net</a>&gt;

          wrote:<br>
          <br>
        </div>
        <blockquote type="cite">
          <div> Hi folks,<br>
            <br>
            Just to join in the fun that all of you are having. :-)<br>
            <br>
            My two-cent worth as follow.<br>
            <br>
            Let's continue to have a OWASP Top 10 which is risk-based as
            it should be language-agnostic.<br>
            <br>
            However, not all languages are built identically.<br>
            <br>
            As some of you have pointed out, some coding traps are more
            easily to fall into in a language while other traps are more
            prevalent in another language.<br>
            <br>
            As such, why not supplement the risk-centric OWASP Top 10
            with language-centric OWASP Top 10 Common for .Net, OWASP
            Top 10 Common for Java, OWASP Top 10 Common for PHP, OWASP
            Top 10 Common for Flex and so on.<br>
            <br>
            Cheers<br>
            Onn Chee<br>
            OWASP Singapore Lead<br>
            <br>
            On 10/07/2011 11:35 PM, Mark Curphey wrote:
            <blockquote
              cite="mid:EAEC30FC-BB46-4DCB-92E5-9EDFE6C0B0E6@curphey.com"
              type="cite">
              <div>The sandwich ordering. I want OWASP top ten, on .net,
                with a c# filling and a bag of AWS to go :-)<br>
                <br>
                Sent from my iPhone</div>
              <div><br>
                On Oct 7, 2011, at 8:24 AM, John Melton &lt;<a
                  moz-do-not-send="true"
                  href="mailto:jtmelton@gmail.com">jtmelton@gmail.com</a>&gt;


                wrote:<br>
                <br>
              </div>
              <blockquote type="cite">
                <div>I agree with several of the opinions expressed
                  here. I tend to think of this in a wizard style
                  approach (there's been talk of this style of
                  organization in other project areas as well, I think
                  Curphey had this in his keynote from appsecusa). For
                  instance, I personally am a Java guy, so I'd logically
                  like to have a flow that says Top 10 list -&gt; CSRF
                  (Issue I have) -&gt; choose technology -&gt; Java
                  -&gt; choose framework(s) -&gt; Struts 2 -&gt; now get
                  prescriptive guidance. To me that's the simplest and
                  most logical flow for developers. I have no idea how a
                  flow like that would work within the wiki, btw. Just
                  speaking for Java, I think there's little value in
                  providing solutions unless you give framework-specific
                  (not just language-specific) guidance, since that's
                  where most devs live. <br>
                  <br>
                  Clearly the top 10 has had tremendous impact on the
                  industry - this seems like a very logical place to
                  start given the recent focus of strong developer
                  outreach. The top 10 doc is probably the 1 item OWASP
                  produces that is in the hands of more developers than
                  anything else (from my experience), so giving them
                  solid solutions seems a good idea.<br>
                  <br>
                  As an aside, my top 10 blog set was really meant to
                  show the power of ESAPI. So while it is Java specific,
                  there are often more framework compliant ways to
                  accomplish the solutions (like token solutions for
                  CSRF in all the frameworks).<br>
                  <br>
                  Thanks,<br>
                  John<br>
                  <br>
                  <div class="gmail_quote">On Fri, Oct 7, 2011 at 11:04
                    AM, Jim Manico <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex;">
                      Exactly! First of all, Troy Hunt is a total
                      rockstar. He is mirroring<br>
                      the OWASP Top Ten in a way that is 100% .NET
                      branded for .NET<br>
                      developers with .NET solutions.<br>
                      <br>
                      Even if the actually high level items are the same
                      as the general Top<br>
                      Ten, the language branded versions reach
                      developers and speak to<br>
                      developers in a pretty deep way.<br>
                      <br>
                      The devil is in the detail - and unlike the
                      general Top Ten, Troy's<br>
                      work provides fairly deep prescriptive
                      language-specific solutions.<br>
                      <br>
                      There are several bloggers (Melton?) who have
                      pushed out Java centric<br>
                      Top Ten literature. The groundwork is out there.
                      I'd love to see a<br>
                      group managed by Dave's penchant for detail to
                      produce (at least)<br>
                      official OWASP Java, &nbsp;.NET and PHP Top Ten
                      documents. I think this is<br>
                      a better approach than just providing language
                      specific examples in<br>
                      the general doc for the sake of deeply influencing
                      developers.<br>
                      <br>
                      IMO,<br>
                      <div class="im">--<br>
                        Jim Manico<br>
                        (808) 652-3805<br>
                        <br>
                      </div>
                      <div>
                        <div class="h5">On Oct 7, 2011, at 9:53 AM, Mark
                          Curphey &lt;<a moz-do-not-send="true"
                            href="mailto:mark@curphey.com">mark@curphey.com</a>&gt;


                          wrote:<br>
                          <br>
                          &gt; Troy hunt has already done a series on
                          T10 and .net. He's a .net security MVP. &nbsp;I am
                          sure he'll donate. Shall I ask him?<br>
                          &gt;<br>
                          &gt; Sent from my iPhone<br>
                          &gt;<br>
                          &gt; On Oct 7, 2011, at 7:21 AM, Jim Manico
                          &lt;<a moz-do-not-send="true"
                            href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>&gt;


                          wrote:<br>
                          &gt;<br>
                          &gt;&gt; Yes, you are right on. It's a crucial
                          way to influence developers more<br>
                          &gt;&gt; - and influencing developers is the
                          real mission of OWASP from days of<br>
                          &gt;&gt; yore. Shall we get started? I'll lend
                          a hand.<br>
                          &gt;&gt;<br>
                          &gt;&gt; --<br>
                          &gt;&gt; Jim Manico<br>
                          &gt;&gt; (808) 652-3805<br>
                          &gt;&gt;<br>
                          &gt;&gt; On Oct 7, 2011, at 9:18 AM, Erwin
                          Geirnaert<br>
                          &gt;&gt; &lt;<a moz-do-not-send="true"
                            href="mailto:erwin.geirnaert@zionsecurity.com">erwin.geirnaert@zionsecurity.com</a>&gt;


                          wrote:<br>
                          &gt;&gt;<br>
                          &gt;&gt;&gt; Hi list,<br>
                          &gt;&gt;&gt;<br>
                          &gt;&gt;&gt; During some discussions this week
                          with Java developers while giving a security
                          training I got the following remark: "why are
                          there so many <a moz-do-not-send="true"
                            href="http://ASP.NET/PHP">ASP.NET/PHP</a>
                          issues in the OWASP Top 10, is Java more
                          secure"?<br>
                          &gt;&gt;&gt;<br>
                          &gt;&gt;&gt; So what I propose is to create a
                          specific OWASP Top 10 for different
                          technologies: Microsoft, Java, PHP and we can
                          still have one global Top 10.<br>
                          &gt;&gt;&gt; Ofcourse based on the CVE
                          database but it will be more clear for the
                          developers and I think that the OWASP Top 10
                          for Java will be very different than OWASP Top
                          10 for PHP.<br>
                          &gt;&gt;&gt;<br>
                          &gt;&gt;&gt; Best regards,<br>
                          &gt;&gt;&gt;<br>
                          &gt;&gt;&gt; Erwin<br>
                          &gt;&gt;&gt;
                          _______________________________________________<br>
                          &gt;&gt;&gt; OWASP-Leaders mailing list<br>
                          &gt;&gt;&gt; <a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                          &gt;&gt;&gt; <a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                          &gt;&gt;
                          _______________________________________________<br>
                          &gt;&gt; OWASP-Leaders mailing list<br>
                          &gt;&gt; <a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                          &gt;&gt; <a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
_______________________________________________<br>
                          OWASP-Leaders mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </blockquote>
              <br>
              <fieldset class="mimeAttachmentHeader"></fieldset>
              <br>
              <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
            </blockquote>
          </div>
        </blockquote>
        <blockquote type="cite">
          <div><span>_______________________________________________</span><br>
            <span>OWASP-Leaders mailing list</span><br>
            <span><a moz-do-not-send="true"
                href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
            <span><a moz-do-not-send="true"
                href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
          </div>
        </blockquote>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
      </blockquote>
    </blockquote>
  </body>
</html>