[Owasp-topten] RFI taken out

Christian Heinrich christian.heinrich at owasp.org
Wed Apr 7 21:53:24 EDT 2010


On Wed, Nov 18, 2009 at 8:47 AM, Ty Miller <tyronmiller at gmail.com> wrote:
> To tell you the truth, i'm not a fan of combining attacks into generic
> groups for the top 10.
> Correct me if i am wrong (because it may just be my assumption), but I
> thought the top 10 was supposed to be to educate people to the current top
> 10 highest risk attacks so that they can protect against them. When we start
> making generic groups and jamming everything in together, we start to
> dissolve the usability of the top 10 since it ends up just covering
> everything, and most people (outside of pen testers or the like) end up not
> actually knowing what attacks they actually need to protect against.

The simplest solution is to combine all the entries i.e. exceeding ten
(10) in total, from each Final Release i.e. 2004, 2007, 2010, etc of
the OWASP Top Ten.

On Wed, Nov 18, 2009 at 8:47 AM, Ty Miller <tyronmiller at gmail.com> wrote:
> I run online and face-to-face training courses for web app hacking "based on
> the OWASP Top 10", because that is the title that people like to see. After
> the course has finished, the students all leave exhausted from the massive
> number of attacks and security weaknesses that they have just been taught,
> rather than being taught the real top 10 vulnerabilities that are going to
> pose real risks to their organisation. They end up getting lumped with
> protecting almost every possible attack because their security policy
> blindly says "Developers must protect against everything in the OWASP Top
> 10".

Have you considered becoming an OWASP Individual Member or an OWASP
Organizational Supporter i.e.
http://www.owasp.org/index.php/Membership to show your support for

Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking

More information about the Owasp-topten mailing list