[Owasp-topten] RFI taken out

Boberski, Michael [USA] boberski_michael at bah.com
Thu Nov 19 13:32:41 EST 2009

PCI and whatnot should realize that what they really need to do is to reference ASVS, now that ASVS exists.

Mike B.

From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave Ockwell-Jenner
Sent: Thursday, November 19, 2009 1:27 PM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] RFI taken out

On Wed, 2009-11-18 at 10:00 -0700, Andre Gironda wrote:


OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
other marketing tools don't show is that the problems aren't meant to
be solved one-at-a-time. One vulnerability isn't as "prevalent" or
"severe" as any other, especially because multiple vulnerabilities are
almost always present in any given large web application.

It might be most a marketing tool, but don't forget that it's referenced in the PCI requirements (effectively co-opting the OWASP Top 10 into that set of requirements). Those requirements drive huge decisions (and impact) for businesses.

I recognize that the OWASP Top 10 should be shaped with this as a constraint, but it's certainly a consideration.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/27f18fce/attachment.html 

More information about the Owasp-topten mailing list