[Owasp-topten] My points on the Top Ten RC1

Steven van der Baan steven.van.der.baan at owasp.org
Sun Feb 17 13:07:09 UTC 2013

Hi All,

first of all I want to say thank you to all for drafting this new top
ten. I can see that a lot of work went into it and I want to thank
everybody involved.

I only have one issue with the newly proposed top ten, and that is with
risk item A9. My company is regularly hired to perform a penetration
test based on PCI requirements. And that's where - I believe - this is
where we're going to make the mistake, cause it is a catch all/nothing
risk. From a pentest point of view, we don't usually see if outdated
components are used, we do see the result of those components. Those are
usually caught by other risks already in the top ten. Outdated framework
components are usually caught by code review, but that's not how I see
the top ten being used.
I believe that - though it is a valid point in security that outdated
components should not be used - this risk doesn't add value to the top ten.

Just expressing my thoughts.

Kind regards,

More information about the Owasp-topten mailing list