[Owasp-sydney] The Top 10, Developers, and You.

Norman Yue norman.yue at owasp.org
Sat Jun 29 14:58:45 UTC 2013

Hey all,

I've noticed the list is generally a bit quiet, so I'm going to start
adding content. Feel free to do the same if you come across some
interesting stuff!

Recently, I had the opportunity to lead a small workshop. Usually,
workshops of this sort would go for a day or so, and cover the OWASP Top
10. This time, I tried something different - instead of talking about the
Top 10 and the difference between dom-based and reflected xss, I showed
people how awesome it was to put '">lolol; into all their web app fields.
To cut a long story short, it seemed to work (and no-one seemed to want to
jump out of a window by the day's end).

It got me thinking - have we been doing it wrong all this time, by talking
to developers about the OWASP Top 10 (all the training courses/workshops
I've seen, especially run by security consulting firms, follow this
approach), but not equipping developers with the tools/confidence to
actually identify these vulnerabilities in their own web apps?

Does anyone else take this kind of approach when it comes to web app
security training/workshops/etc?
Does anyone have any thoughts on how to make learning about web app
security more engaging, especially from a developer's pov?
What do you guys think is more important from a practical standpoint,
helping people build more secure web apps?

Discussion welcome etc :)


PS. Building a firefox pentesting plugin that's built around the principle
of quickly and easily identifying low-hanging fruit and presenting the
information in a useful manner, ping me if you have any ideas.
PPS. Surely you guys have some cool projects in the works that you'd
totally like to talk about at the next owasp meetup, right? *wink wink
nudge nudge*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-sydney/attachments/20130630/04ebe2f6/attachment.html>

More information about the Owasp-sydney mailing list