[Owasp-topten] A9 - Disputed Risk

Christian Heinrich christian.heinrich at cmlh.id.au
Mon May 20 23:58:30 UTC 2013


On Tue, May 21, 2013 at 2:59 AM, Dave Wichers <dave.wichers at owasp.org>

> Christian,
> Your analysis, in my opinion, is seriously flawed.

If the insecure software component vendor is *not* open source i.e. COTS,
their license prohibits the reverse engineering to the source code and
therefore its vulnerabilities are unknown to the public since an NDA is

I consider that PR spin would be highly effective even when the end user of
the web application is also developer of the web application (i.e. not COTS
and and/or outsourced the development of the web application)  excluding
the example when insecure software component developed for "security" e.g.
 OWASP "Enterprise *Security* API (ESAPI)" and the resulting thread related
to http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html.

Based on
http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html and
your belief that "most people would laugh you out of the room if you tried
to do so"  then A9 should be excluded from the Top Ten otherwise OWASP
would  expose itself to "hypocritical" attacks from the wider webappsec

Christian Heinrich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130521/7351c2be/attachment.html>

More information about the Owasp-topten mailing list