[Owasp-topten] RFI taken out

Daniel Clemens daniel.clemens at packetninjas.net
Wed Apr 7 22:40:49 EDT 2010

In response;

On Apr 7, 2010, at 8:53 PM, Christian Heinrich wrote:

>> Correct me if i am wrong (because it may just be my assumption), but I
>> thought the top 10 was supposed to be to educate people to the current top
>> 10 highest risk attacks so that they can protect against them. When we start
>> making generic groups and jamming everything in together, we start to
>> dissolve the usability of the top 10 since it ends up just covering
>> everything, and most people (outside of pen testers or the like) end up not
>> actually knowing what attacks they actually need to protect against.
> The simplest solution is to combine all the entries i.e. exceeding ten
> (10) in total, from each Final Release i.e. 2004, 2007, 2010, etc of
> the OWASP Top Ten.

I would argue for the following:

* Include all known vulnerability classes into one master document.
* Each top-ten release can be specific to a given time period of perceived risk based on history experience given a time frame. ( Documented Context can always aid in this )
* Since it is hard to teach developers all of the possible vulnerability classes and or avenues of attack I propose a level of abstraction for managers.
This abstraction be following the lines of previously talked about vulnerability abstraction where bugs fall into the following categorization.

* Implementation Flaws
* Design Flaws
* Configuration & Infrastructure Flaws

This would allow for an amount of freedom for each audience while maintaining a cohesive vulnerability vocabulary which is consistent with most of the application security world. 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"

More information about the Owasp-topten mailing list