[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Dennis Groves dennis.groves at owasp.org
Tue Feb 19 00:48:55 UTC 2013


On 18 Feb 2013, at 21:45, Tobias wrote:

> Hi all,
>
> thanks a lot for the update of the OWASP Top-Ten.
> I have to agree a bit with Dennis, that we should do more ("than
> potentially just repackaging the same thing all the time").

Thanks Tobias!

> And I am still not fully in line with the fact that we remove 2010.A9
> from the list as I believe that this risk is still a significant
> problem. Although we fixed part of it with RFC6797 (HSTS), and key
> pinning, this is far from over! And until all these things have been
> widely implemented (which could still take a while).

Although key pinning and the like are very good ideas, they really 
depend on the Cert Authority model; which requires I fundamentally trust 
people that I can not and do not trust. What is actually required is 
that everybody have client certificates - an 'internet' drivers license. 
But that I am certain will never happen. So my concern is that 
eventually even key pinning and the like will eventually fail for other 
as of yet unknown reasons…



-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer


More information about the Owasp-topten mailing list