[Owasp-topten] A9 - Disputed Risk

Tom Brennan tomb at owasp.org
Fri May 24 00:07:53 UTC 2013


Alcon;

June 10th there will be a discussion via telephone that everyone is always welcomed to join or listen to the recordings at there leisure of on topics of interest
https://www.owasp.org/index.php/OWASP_Board_Meetings first topic on new business will be the OWASP Top 10.

On June 13th., the NYC Chapter is hosting the OWASP Top 10 discussion at the local chapter meeting in at Morgan Stanley

http://www.meetup.com/OWASP-NYC/events/116963982/

OWASP will also be standing up a meet-me-now online (if possible at the venue, still working on that) for the global community to provide a live view and discussion. 
If you or a delegate can attend the big apple please do.

In the end no matter what project is used as an example: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
OWASP has fantastic people working virtually and loosely around the world that with a common goal defined by the mission and its not scathing emails that provide innovation and progress it's collaboration and light hearted debate amongst builder, breaker and defender (incident responders) perspectives.
 
<shameless plug> 

Regional AppSec Summit/Conferences/Gathering  is where the magic will happen in 2013 so get ready to recharge your passion for software, and OWASP break bread with colleagues and innovate - agree to disagree that is fine too but don't miss the rally of your colleagues this year

AppSecEMEA
https://www.owasp.org/index.php/AppSecEU2013
https://appsec.eu/

AppSecUSA 
http://www.appsecusa.org




On May 23, 2013, at 11:32 AM, Neil Smithline <neil.smithline at owasp.org> wrote:

> Christian,
> 
> I strongly agree with you that A9 does not belong in the T10. Besides your concerns, I really, make that "I really really" don't like the fact that avoidance of A9 occurs after shipping. I view the T10 as a developer's, tester's, deployer's sort of thing. A9 relies on IT and ops to be remedied.
> 
> I worked hard in January to rally anti-A9 support. I failed.
> 
> Now, IMO, it is way too late to be considering changing one of the T10. There is just too much work involved in each one, not to mention the review process afterward.
> 
> Something I hadn't thought about until writing this is that there may be tweaks to the wording in A9 that would make it more palatable to those of who have problems with it. While it is already late for changes as it is a week or so before going live, some minor tweaks may still be able to be slipped in.
> 
> It is important to keep the relative size of the old and new text in mind. I would imagine that it is too late to make a change that changes the length of any of the T10 sections as the formatting is tedious and time-consuming. Something I'm sure that Dave doesn't have time for.
> 
> Neil
> 
> 
> On Mon, May 20, 2013 at 7:58 PM, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
>> Dave,
>> 
>> On Tue, May 21, 2013 at 2:59 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>> 
>>> Christian,
>>> 
>>> Your analysis, in my opinion, is seriously flawed.
>> 
>> 
>> If the insecure software component vendor is *not* open source i.e. COTS, their license prohibits the reverse engineering to the source code and therefore its vulnerabilities are unknown to the public since an NDA is required.
>> 
>> I consider that PR spin would be highly effective even when the end user of the web application is also developer of the web application (i.e. not COTS and and/or outsourced the development of the web application)  excluding the example when insecure software component developed for "security" e.g.  OWASP "Enterprise *Security* API (ESAPI)" and the resulting thread related to http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html.
>> 
>> Based on http://lists.owasp.org/pipermail/owasp-leaders/2010-March/002829.html and your belief that "most people would laugh you out of the room if you tried to do so"  then A9 should be excluded from the Top Ten otherwise OWASP would  expose itself to "hypocritical" attacks from the wider webappsec community.
>> 
>> 
>> -- 
>> Regards,
>> Christian Heinrich
>> 
>> http://cmlh.id.au/contact
>> 
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130523/45e87386/attachment-0001.html>


More information about the Owasp-topten mailing list