[Owasp-topten] Top 10 2007

Jeff Williams jeff.williams at aspectsecurity.com
Fri Jul 7 21:25:20 EDT 2006


I'm concerned about the approach of relying on bugtraq for data here. The
distribution of issues there simply doesn't sync up well with problems
plaguing corporate web apps.  I'm afraid this will bias the results far too
heavily towards problems that are found without source code using
penetration testing or scanning.  

Maybe I'm way off here -- let's see what it turns up.

--Jeff
 

> -----Original Message-----
> From: owasp-topten-bounces at lists.sourceforge.net [mailto:owasp-topten-
> bounces at lists.sourceforge.net] On Behalf Of Andrew van der Stock
> Sent: Tuesday, July 04, 2006 6:37 PM
> To: owasp-topten at lists.sourceforge.net
> Subject: Re: [Owasp-topten] Top 10 2007
> 
> Okay, the June 30 deadline has gone. The only folks to pipe up
> agree :-), so I'll work on a straw man Top 10, and start researching
> Bugtraq for the last 12 months. Once I have the initial findings,
> I'll be farming out the work to volunteers to write their pages. If
> you feel you have a page of the Top 10 in you, please let us know :)
> 
> I've been looking around for criticisms and ideas others have had to
> update the Top 10 and see if they are valid or useful. I've found a
> 2005 Mark Curphey post to webappsec, and he had some good ideas. We
> don't have to adopt all of them, but I'd certainly like to get your
> input on if it's something we can do:
> 
> http://seclists.org/lists/webappsec/2005/Jul-Sep/0011.html
> 
> Top 10 Attacks <- This is what we've agreed to so far
> Top 10 vulnerabilities <- Let's leave this to SANS
> Top 10 Root causes of insecure web apps
> Top 10 Things you should have in your IT Security Policy
> Top 10 Things you should look for in a protection system <- Prefer to
> leave to other projects
> Top 10 Things you should look for in a assessment system <- Prefer to
> leave to other projects
> 
> So, I'm suggesting we do:
> 
> Top 10 Attacks
> Top 10 Root causes of insecure web apps
> Top 10 Things you should have in your software security program
> 
> Thoughts?
> 
> Lastly, this will be one of the last postings to Sourceforge - our
> mail lists will be coming on line soon. When it happens, please use
> the new mail infrastructure. You should have received a "Welcome"
> message from the OWASP mail list server for the lists you belong to.
> If you haven't received it for all of them - please hang in there and
> see if it gets fixed, but if by launch date it hasn't happened, we'll
> provide a link or two on how to join the new lists.
> 
> thanks,
> Andrew





More information about the Owasp-topten mailing list