[Owasp-topten] OWASP Top 10 2010RC

Dave Wichers dave.wichers at aspectsecurity.com
Thu Dec 3 13:09:15 EST 2009


Sounds good to me.

-----Original Message-----
From: Michael Coates <michael.coates at aspectsecurity.com>
Sent: Thursday, December 03, 2009 12:30 PM
To: Dave Wichers <dave.wichers at aspectsecurity.com>; Lorna Alamri <lorna.alamri at owasp.org>; Jim Manico <jim.manico at owasp.org>
Cc: OWASP TopTen <owasp-topten at lists.owasp.org>
Subject: RE: [Owasp-topten] OWASP Top 10 2010RC

Here is the status of the cheat sheets.  I think we could do this and just include the cheat sheets that we have in the resources section.  I took another look at the ppt from DC, those slides can be used almost verbatim. The graphics look good. 

I think the first edition of the OWASP Top 10 2010 book could be released by feb 1 and would include great information and at least the cheat sheets below.  

Any objections? If not, I'll make this happen (and by that I mean the book with the cheat sheets that are currently available).

-Michael


A1 – Injection
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

A2 – Cross Site Scripting (XSS) 
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

A3 – Broken Authentication and Session Management 

A4 – Insecure Direct Object References 

A5 – Cross Site Request Forgery (CSRF) 
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

A6 – Security Misconfiguration (NEW) 

A7 – Failure to Restrict URL Access

A8 – Unvalidated Redirects and Forwards (NEW)

A9 – Insecure Cryptographic Storage

A10 – Insufficient Transport Layer Protection 
http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet


-----Original Message-----
From: Dave Wichers 
Sent: Thursday, December 03, 2009 10:45 AM
To: Michael Coates; Dave Wichers; Lorna Alamri; Jim Manico
Cc: OWASP TopTen
Subject: RE: [Owasp-topten] OWASP Top 10 2010RC

Its a great idea if you are willing to volunteer. We only have about half of the cheet sheets currently.

Dave 

-----Original Message-----
From: Michael Coates <michael.coates at aspectsecurity.com>
Sent: Thursday, December 03, 2009 11:02 AM
To: Dave Wichers <dave.wichers at aspectsecurity.com>; Lorna Alamri <lorna.alamri at owasp.org>; Jim Manico <jim.manico at owasp.org>
Cc: OWASP TopTen <owasp-topten at lists.owasp.org>
Subject: RE: [Owasp-topten] OWASP Top 10 2010RC

What about putting together a nice little lulu book for the owasp top 10 official release? We could include the following:

 

-          OWASP top 10 (of course)

-          Extended descriptions on each item

-          A cheat sheet for each category (do we have all those done?)

-          Top 10 methodology

-          Past top 10 lists for reference

 

The pdf would, of course, be free on the owasp website and the lulu book would be inexpensive to cover printing. If desired we could bump up the lulu book a few bucks and put the proceeds into a fund for OWASP Top 10 Summit. 

 

I bet there will be more than a few people interested in spending the small fee to get a printed copy of this item. It really is one of our most viewed items.

 

I’d be happy to help pull together some of this material. Although, that largely depends on how much of it is done. I can’t go and create multiple cheat sheets J

 

Thoughts?

 

- Michael Coates

 

From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Wednesday, December 02, 2009 10:18 PM
To: Lorna Alamri; Jim Manico
Cc: OWASP TopTen
Subject: Re: [Owasp-topten] OWASP Top 10 2010RC

 

That would be great. Jim also wants me to do an OWASP podcast in a couple weeks on the Top 10 too, so I don’t know if there is any way for these two to leverage each other.

 

-Dave

 

From: Lorna Alamri [mailto:lorna.alamri at owasp.org] 
Sent: Wednesday, December 02, 2009 10:58 PM
To: Dave Wichers
Cc: dinis cruz; OWASP TopTen
Subject: Re: [Owasp-topten] OWASP Top 10 2010RC

 

Okay. Great. How do you feel about my putting together a press release on the project and trying to get the attention of the press about the release? 
Lorna

On Wed, Dec 2, 2009 at 9:56 PM, Dave Wichers <dave.wichers at aspectsecurity.com> wrote:

I provided them an early release of the Top 10 well before it was released at the Conference. I have not received any feedback from them.

 

-Dave

 

From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Wednesday, December 02, 2009 10:51 PM
To: Lorna Alamri; OWASP TopTen
Subject: Re: [Owasp-topten] OWASP Top 10 2010RC

 

Dave & others on the owasp-topten mailing list,

 

Can you help with Lorna questions below?

 

Thanks

 

Dinis Cruz

2009/12/3 Lorna Alamri <lorna.alamri at owasp.org>

Dinis,
Has any outreach been done to the PCI Security Standards Council regarding the Top 10 RC?  I was also looking at their site and thinking that I should put together a press release together around the OWASP Top 10 2010 RC and send it out to the magazines that they have listed on their in the news page plus some additional candidates. 

Which brings me to another thought - I'm going to need an in the news kind of page for OWASP on the new site. 

https://www.pcisecuritystandards.org/news_events/in_the_news.shtml

thoughts? 


-- 
Lorna Alamri

OWASP MSP Chapter
skype: lorna.alamri

 




-- 
Lorna Alamri

OWASP MSP Chapter
skype: lorna.alamri



More information about the Owasp-topten mailing list