[Owasp-topten] RFI taken out

Dave Ockwell-Jenner doj at primeinfosec.com
Thu Nov 19 13:27:04 EST 2009


On Wed, 2009-11-18 at 10:00 -0700, Andre Gironda wrote:

[snip]

> 
> OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
> other marketing tools don't show is that the problems aren't meant to
> be solved one-at-a-time. One vulnerability isn't as "prevalent" or
> "severe" as any other, especially because multiple vulnerabilities are
> almost always present in any given large web application.
> 

It might be most a marketing tool, but don't forget that it's referenced
in the PCI requirements (effectively co-opting the OWASP Top 10 into
that set of requirements). Those requirements drive huge decisions (and
impact) for businesses.

I recognize that the OWASP Top 10 should be shaped with this as a
constraint, but it's certainly a consideration.

Cheers,
Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/b6cc29eb/attachment.html 


More information about the Owasp-topten mailing list