[Owasp-topten] A9 References

Neil Smithline neil.smithline at owasp.org
Sun Feb 17 20:59:59 UTC 2013


I think that A9 doesn't sufficiently explain to an appsec noob how to
secure external components.


   1. I think that a 4th bullet should be added to the How To Prevent box
   that says something like "Follow vendor and 3rd-party lockdown guidance."
   2. I think the first sentence of the How To Prevent box should be
   changed to something more helpful such as: "Minimize the number of
   components you use and restrict the enable the minimal amount of features
   in each component."
   3. I also think that the references section should be modified to have
   examples of product-specific security pages. I think they would go under a
   new heading, perhaps "Component Specific Examples". Choosing two or three
   popular components should be sufficient.
   http://httpd.apache.org/docs/2.2/misc/security_tips.html is one
   potential example reference.

Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/e341f021/attachment.html>


More information about the Owasp-topten mailing list