[Owasp-topten] RFI taken out
daniel.clemens at packetninjas.net
Wed Apr 7 22:40:49 EDT 2010
On Apr 7, 2010, at 8:53 PM, Christian Heinrich wrote:
>> Correct me if i am wrong (because it may just be my assumption), but I
>> thought the top 10 was supposed to be to educate people to the current top
>> 10 highest risk attacks so that they can protect against them. When we start
>> making generic groups and jamming everything in together, we start to
>> dissolve the usability of the top 10 since it ends up just covering
>> everything, and most people (outside of pen testers or the like) end up not
>> actually knowing what attacks they actually need to protect against.
> The simplest solution is to combine all the entries i.e. exceeding ten
> (10) in total, from each Final Release i.e. 2004, 2007, 2010, etc of
> the OWASP Top Ten.
I would argue for the following:
* Include all known vulnerability classes into one master document.
* Each top-ten release can be specific to a given time period of perceived risk based on history experience given a time frame. ( Documented Context can always aid in this )
* Since it is hard to teach developers all of the possible vulnerability classes and or avenues of attack I propose a level of abstraction for managers.
This abstraction be following the lines of previously talked about vulnerability abstraction where bugs fall into the following categorization.
* Implementation Flaws
* Design Flaws
* Configuration & Infrastructure Flaws
This would allow for an amount of freedom for each audience while maintaining a cohesive vulnerability vocabulary which is consistent with most of the application security world.
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"
More information about the Owasp-topten