[Owasp-topten] What is Next for decision makers

Ketan Vyas ketan.vyas at tcs.com
Thu Nov 19 01:18:42 EST 2009

Thank you Dave & team for wonderful compilation.

Changing Top 10 perspective from vulnerability to risk gives more 
visibility to business decision makers. Most of the business applications 
have Middleware and backend support systems such as ERP/CRM/BI products. 
We haven't consider exact risk while putting interaction amongst these 
components. Authentication (A3), Default Authorization (A6) and Secure 
communication (A10) are already covered however from risk perspective, I 
could see 2 more opportunities.

Access control at interface layer
Insufficient logging and accountability

Here are some improvement suggestions:

* This is for risk, how can we miss the weakest link - People. We can add 
something for providing end user awareness. 
* We have What Next for developer and verifiers however I couldn't see 
What next for decision makers. Suggest to add a section.


Ketan Vyas
Tata Consultancy Services

"Dave Wichers" <dave.wichers at aspectsecurity.com>
<owasp-topten at lists.owasp.org>
11/14/2009 05:14 AM
[Owasp-topten] OWASP Top 10 - 2010 rc1 Released!!
Sent by:
owasp-topten-bounces at lists.owasp.org

Today, I gave my presentation on the new Top 10 at the OWASP AppSec DC 
Conference and officially released the 2010 release candidate.
I have uploaded both the presentation and the Top 10 itself to the OWASP 
wiki. The presentation is in .pptx format, and the Top 10 is a PDF 
They can both be found at the top of the Top 10 project page: 
Since this is a release candidate, it is up for open comment until the end 
of the year. So, please review and provide me with comments.
And the Top 10 for 2010 (rc1) is ?
?          A1: Injection 
?          A2: Cross Site Scripting (XSS) 
?          A3: Broken Authentication and Session Management 
?          A4: Insecure Direct Object References 
?          A5: Cross Site Request Forgery (CSRF) 
?          A6: Security Misconfiguration 
?          A7: Failure to Restrict URL Access 
?          A8:  Unvalidated Redirects and Forwards 
?          A9: Insecure Cryptographic Storage 
?          A10: Insufficient Transport Layer Protection
Thanks, Dave
Dave Wichers
OWASP Top 10 Lead_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/d71b7552/attachment-0001.html 

More information about the Owasp-topten mailing list