[Owasp-topten] A9 References
neil.smithline at owasp.org
Sun Feb 17 20:59:59 UTC 2013
I think that A9 doesn't sufficiently explain to an appsec noob how to
secure external components.
1. I think that a 4th bullet should be added to the How To Prevent box
that says something like "Follow vendor and 3rd-party lockdown guidance."
2. I think the first sentence of the How To Prevent box should be
changed to something more helpful such as: "Minimize the number of
components you use and restrict the enable the minimal amount of features
in each component."
3. I also think that the references section should be modified to have
examples of product-specific security pages. I think they would go under a
new heading, perhaps "Component Specific Examples". Choosing two or three
popular components should be sufficient.
http://httpd.apache.org/docs/2.2/misc/security_tips.html is one
potential example reference.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten