[Owasp-topten] What is Next for decision makers
ketan.vyas at tcs.com
Thu Nov 19 01:18:42 EST 2009
Thank you Dave & team for wonderful compilation.
Changing Top 10 perspective from vulnerability to risk gives more
visibility to business decision makers. Most of the business applications
have Middleware and backend support systems such as ERP/CRM/BI products.
We haven't consider exact risk while putting interaction amongst these
components. Authentication (A3), Default Authorization (A6) and Secure
communication (A10) are already covered however from risk perspective, I
could see 2 more opportunities.
Access control at interface layer
Insufficient logging and accountability
Here are some improvement suggestions:
* This is for risk, how can we miss the weakest link - People. We can add
something for providing end user awareness.
* We have What Next for developer and verifiers however I couldn't see
What next for decision makers. Suggest to add a section.
Tata Consultancy Services
"Dave Wichers" <dave.wichers at aspectsecurity.com>
<owasp-topten at lists.owasp.org>
11/14/2009 05:14 AM
[Owasp-topten] OWASP Top 10 - 2010 rc1 Released!!
owasp-topten-bounces at lists.owasp.org
Today, I gave my presentation on the new Top 10 at the OWASP AppSec DC
Conference and officially released the 2010 release candidate.
I have uploaded both the presentation and the Top 10 itself to the OWASP
wiki. The presentation is in .pptx format, and the Top 10 is a PDF
They can both be found at the top of the Top 10 project page:
Since this is a release candidate, it is up for open comment until the end
of the year. So, please review and provide me with comments.
And the Top 10 for 2010 (rc1) is ?
? A1: Injection
? A2: Cross Site Scripting (XSS)
? A3: Broken Authentication and Session Management
? A4: Insecure Direct Object References
? A5: Cross Site Request Forgery (CSRF)
? A6: Security Misconfiguration
? A7: Failure to Restrict URL Access
? A8: Unvalidated Redirects and Forwards
? A9: Insecure Cryptographic Storage
? A10: Insufficient Transport Layer Protection
OWASP Top 10 Lead_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten