[Owasp-topten] RFI taken out

Mike Boberski mike.boberski at gmail.com
Wed Apr 7 21:57:34 EDT 2010


Perhaps consider using ASVS for your course.

Mike


On Wed, Apr 7, 2010 at 9:53 PM, Christian Heinrich <
christian.heinrich at owasp.org> wrote:

> Ty,
>
> On Wed, Nov 18, 2009 at 8:47 AM, Ty Miller <tyronmiller at gmail.com> wrote:
> > To tell you the truth, i'm not a fan of combining attacks into generic
> > groups for the top 10.
> >
> > Correct me if i am wrong (because it may just be my assumption), but I
> > thought the top 10 was supposed to be to educate people to the current
> top
> > 10 highest risk attacks so that they can protect against them. When we
> start
> > making generic groups and jamming everything in together, we start to
> > dissolve the usability of the top 10 since it ends up just covering
> > everything, and most people (outside of pen testers or the like) end up
> not
> > actually knowing what attacks they actually need to protect against.
>
> The simplest solution is to combine all the entries i.e. exceeding ten
> (10) in total, from each Final Release i.e. 2004, 2007, 2010, etc of
> the OWASP Top Ten.
>
> On Wed, Nov 18, 2009 at 8:47 AM, Ty Miller <tyronmiller at gmail.com> wrote:
> > I run online and face-to-face training courses for web app hacking "based
> on
> > the OWASP Top 10", because that is the title that people like to see.
> After
> > the course has finished, the students all leave exhausted from the
> massive
> > number of attacks and security weaknesses that they have just been
> taught,
> > rather than being taught the real top 10 vulnerabilities that are going
> to
> > pose real risks to their organisation. They end up getting lumped with
> > protecting almost every possible attack because their security policy
> > blindly says "Developers must protect against everything in the OWASP Top
> > 10".
>
> Have you considered becoming an OWASP Individual Member or an OWASP
> Organizational Supporter i.e.
> http://www.owasp.org/index.php/Membership to show your support for
> OWASP?
>
>
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100407/8ded80e1/attachment.html 


More information about the Owasp-topten mailing list