[Owasp-topten] RC Feedback, Question about Purpose

Osama Elnaggar oelnaggar04 at gmail.com
Mon Apr 10 23:59:25 UTC 2017

Hi Tim,

The purpose of the OWASP TOP 10 is to raise awareness of common web
vulnerabilities and to provide organizations with a starting point for
their application security programs.  For each vulnerability, you have a
risk rating, a general idea of how to prevent it, and references from OWASP
for further details.  You also know which ones to start with due to the
risk assessment provided.

The OWASP Top 10 by itself isn't detailed enough to serve as a
professional, detailed standard for developers, which is why, for example,
it does not include a section on logging and which is why provide links to
other OWASP resources.  But it's a great start for organizations new to
application security and you can use it as a basis for building your own
standard for developers.

For something more detailed, you have the "What's Next for Developers"
section on page 18 which points you to the ASVS (
The ASVS is much more detailed and provides extensive controls that need to
be implemented in different areas.  It also includes different requirements
depending on the sensitivity of your application.  Level 1 covers
everything mentioned in the OWASP Top 10 + additional controls.  Level 2
and Level 3 build on Level 1.

Osama Elnaggar

On April 11, 2017 at 8:54:05 AM, Tim Goddard (tim at goddard.nz) wrote:

Hi all,

Just some personal feedback and a question around the OWASP top ten
2017 RC today. Clearly the shift here seems to be away from specific
issues towards broader categories (as the 2010 to 2013 move was also).

My background is as a software developer and am now a pentester, so
I've personally had two major uses for the top ten in the past:

1. As a learning guide and professional standard for developers. For
example, if hiring junior developers I might check they are aware of
the top three, whereas I would expect a senior/principal developer to
be able to give me an example of any of the top ten, and what
practices they would follow to prevent it.

2. As a classification tool for security issues, helping to identify
relevant materials and group issues with similar causes or similar

While the new 2017 list is likely to cover a wider range of issues for
the second purpose by adding more broad categories, I feel that the
new categories are so broad as to disrupt the developer standards
angle. I can't claim to fully understand these categories as a
pentester, let alone expect developers to do so as a core competency.

So the main question this prompts me to ask is: "What is the purpose
of the OWASP top ten?"

Kind regards,

Owasp-topten mailing list
Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170410/00803a04/attachment.html>

More information about the Owasp-topten mailing list