[Owasp-topten] RFC: Common numbering proposal # 1

Brad Causey bradcausey at gmail.com
Wed Jan 6 17:09:33 EST 2010


Thinking from the perspective of a purely ignorant person, this is
rather confusing. Problem is, it totally makes sense as to why you did
what you did, to me. So which of those numbers would be final one? And
with that number alone, could I find what I needed in each guide?

*thinking aloud*
Ideally, we have 2 ultimate goals in my mind. (bear with me here)
1. create a central ID number, and provide a mapping to each project.
(maybe a good interim goal)
2. Actually _change_ each OWASP guide to match the TG or some agreed
upon numbering system.

Now, you are probably all asking "why are we chosing to go with the
TG?". Well I wasn't sold either, and I'm still not 100%. But it does
appear to provide detailed numberin for specific vulnerabilities, and
has a pretty good following. (and I'm partial because I currently rely
on it)
Here is the catch! There are going to be holes no matter which
direction we take, for example, the TG has items the ASVS doesn't.
Which is why I'm voting for a super detailed comprehensive "master
list" and match them up for now, item #1. And allow each project to
catch up to the list, ultimately leading to a truly complete #2.

I'm literally thinking out loud here guys, so fire back full force.
*/thinking aloud*


-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will
expend to break a code. (Robert Morris)
--



On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA]
<boberski_michael at bah.com> wrote:
> Let us work on this using a specific example, SQL Injection:
>
> Here is a proposal for your consideration:
>
> ASVS Ref. Number
> OWASP-V0604
>
> TG Ref. Number
> OWASP-T0604-DV-005
> (compared to currently: OWASP-DV-005)
>
> CRG Ref. Number
> OWASP-C0604-DV-005
>
> Guide Ref. Number
> OWASP-D0604
> (goes into guidance at this level, in the next release)
>
> Where,
>
> OWASP-V0604 == V6.4  Verify that all untrusted data that is output to SQL interpreters use parameterized interfaces, prepared statements, or are escaped properly.
>
> Mike B.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>


More information about the Owasp-topten mailing list