[Owasp-topten] A9 - Disputed Risk
abbas.naderi at owasp.org
Sun May 19 04:58:45 UTC 2013
Good point, as was discussed many times in the past.
On ۲۹ اردیبهشت ۱۳۹۲, at ۷:۲۹, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
> Jeff and Dave,
> I have just reviewed the application of
> https://www.owasp.org/index.php/Top_10_2013-Risk to
> and concluded that the actual context based on the definition of A9 is
> *not* a "business" risk to the developer, rather to the vendor of the
> insecure software component due to liability of brand damage.
> To put this another way the developer suffers little brand damage as
> their public relations would be focused on shifting the blame to the
> vendor of the insecure software component in order to divert the brand
> damage from their (developer) brand to that of the vendor's (brand).
> This also accounts for when their (vendor) license specifies that the
> vendor (of the insecure software component) is not liable for any
> However, if the developer publishes a faulty patch for the
> vulnerability identified in the insecure software component and pushes
> this upstream to the vendor and is then the developer is found to be
> at fault then this is the actual business risk to the developer e.g.
> Based on https://lists.owasp.org/pipermail/owasp-leaders/2010-April/002985.html
> I believe you would concur that this context is the actual "business"
> risk too.
> Christian Heinrich
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4889 bytes
Desc: not available
More information about the Owasp-topten