[Owasp-topten] A9 - Disputed Risk

Neil Smithline neil.smithline at owasp.org
Thu May 23 15:32:56 UTC 2013


I strongly agree with you that A9 does not belong in the T10. Besides your
concerns, I really, make that "I really really" don't like the fact that
avoidance of A9 occurs after shipping. I view the T10 as a developer's,
tester's, deployer's sort of thing. A9 relies on IT and ops to be remedied.

I worked hard in January to rally anti-A9 support. I failed.

Now, IMO, it is way too late to be considering changing one of the T10.
There is just too much work involved in each one, not to mention the review
process afterward.

Something I hadn't thought about until writing this is that there may be
tweaks to the wording in A9 that would make it more palatable to those of
who have problems with it. While it is already late for changes as it is a
week or so before going live, some minor tweaks may still be able to be
slipped in.

It is important to keep the relative size of the old and new text in mind.
I would imagine that it is too late to make a change that changes the
length of any of the T10 sections as the formatting is tedious and
time-consuming. Something I'm sure that Dave doesn't have time for.


On Mon, May 20, 2013 at 7:58 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Dave,
> On Tue, May 21, 2013 at 2:59 AM, Dave Wichers <dave.wichers at owasp.org>
>  wrote:
> Christian,
>> Your analysis, in my opinion, is seriously flawed.
> If the insecure software component vendor is *not* open source i.e. COTS,
> their license prohibits the reverse engineering to the source code and
> therefore its vulnerabilities are unknown to the public since an NDA is
> required.
> I consider that PR spin would be highly effective even when the end user
> of the web application is also developer of the web application (i.e. not
> COTS and and/or outsourced the development of the web application)
>  excluding the example when insecure software component developed for
> "security" e.g.  OWASP "Enterprise *Security* API (ESAPI)" and the
> resulting thread related to
> http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html.
> Based on
> http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html and
> your belief that "most people would laugh you out of the room if you tried
> to do so"  then A9 should be excluded from the Top Ten otherwise OWASP
> would  expose itself to "hypocritical" attacks from the wider webappsec
> community.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130523/228bb72e/attachment.html>

More information about the Owasp-topten mailing list