[Owasp-topten] Feedback on OWASP 2010 Top 10

Dave Wichers dave.wichers at aspectsecurity.com
Tue Nov 17 18:18:31 EST 2009


A core idea of the top 10 is to create visibility into the most
important issues, not to allow it to contain ALL the potential issues
people might need to address. So we have deliberately kept injection
(like SQL and command injection) separate from XSS because both topics
are REALLY important and very prevalent and so need separate visibility.

Two items in the top 10 that are most closely related are A4 and A7
which are both about Access Control, but we have kept them separate in
order to specifically provide more visibility on each aspect, both of
which are very prevalent and introduce significant risks.

-Dave

p.s. Add Input Validation is only 1 defense against SQL Injection and
XSS and in my opinion, not the best defense actually. I believe that
output encoding is the best defense currently against XSS and is also a
useful but not the only defense against SQL Injection and command
injection.

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of McGovern,
James F. (eBusiness)
Sent: Tuesday, November 17, 2009 9:35 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Feedback on OWASP 2010 Top 10

 My peers were discussing the top ten and wanted to understand why
certain categories couldn't be collapsed into "input validation" for
example SQL Injection such that room could be made for other
categories..,.
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************

_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten


More information about the Owasp-topten mailing list