[Owasp-topten] [E] Forward Looking Survey and Project Scope change?

Axel Bengtsson axel.bengtsson at owasp.org
Fri Aug 4 14:51:39 UTC 2017


Hi,

I agree with previous talkers, but am also surprised that this survey
hasn't been communicated on the OWASP Top 10 mailing list. What's the best
channels to keep updated on the Top 10 project nowadays, the blog and
twitter?

Best regards,
Axel

On Fri, Aug 4, 2017 at 7:40 AM, Kennedy, Dougal <
dougal.kennedy at jp.verizon.com> wrote:

> I second this opinion that it should include proactive controls in
> addition to only vulnerabilities, as most clients I talk to only have the
> bandwidth to think  about the owasp top 10. I always thought it was a tool
> to help raise awareness of important issues – I believe knowing about
> things that can be proactively done is just as important as knowing about
> potential vulnerabilities…
>
>
>
> Kind regards,
>
>
>
> Dougal
>
>
>
> *From:* Rory McCune [mailto:rory.mccune at owasp.org <rory.mccune at owasp.org>]
>
> *Sent:* Thursday, August 3, 2017 2:09 AM
> *To:* OWASP TopTen
> *Subject:* [E] [Owasp-topten] Forward Looking Survey and Project Scope
> change?
>
>
>
> Hi All,
>
>
>
> I saw some new items come out from the project on twitter today, notably
> the call for data and forward looking survey and there's a couple of items
> that were a bit of a surprise to me.
>
>
>
> First up is the fact that it appears that the project is changing scope
> from being the Top 10 risk, to being the top 10 Vulnerability categories (
> https://twitter.com/OWASPTop10/status/892836300692312064
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_OWASPTop10_status_892836300692312064&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=izJiszgICOSmraptQVHCUPtFVih4T89EHDZeq8Ut4nU&m=46FIK1IHwrNh4uzZ_r0-ioLAivRwHHGsaisf5Tsh18o&s=XzPRStjObvgSkwEZxePmKeVbP-fzXVwOEpPZw3iXKdI&e=>)
> .
>
>
>
> This feels like quite a large change to the scope of the project, so I'm a
> little surprised that I've not seen any discussion of this on this list
> (apologies if I've missed something) or on the github site.
>
>
>
> Also when I read through the "forward looking" survey I was a little
> surprised at some of the inclusions and omissions in the options available.
>
>
>
> Some of the inclusions are old security issues that don't feel much like
> forward looking items at all.  Mass assignment is 10+ years old now, XXE is
> even older than that and cryptographic failures ....
>
>
>
> Also if the project is about vulnerability categories and not risks,
>  "insufficient monitoring and logging" feels a bit out of place?
>
>
>
> In terms of omissions, I noted that any mention of lacking proactive
> controls has been dropped (which was, I felt, the essence of the proposed
> A7).  I'm a little surprised that that's been dropped as even being an
> option on the survey given logging and monitoring is still present?
>
>
>
> FWIW, I think that the Top 10 would be better to stay as a list of risks
> instead of narrowing it's focus to be only vulnerabilities.  Whether we
> like it or not, for the vast majority of people outside of dedicated AppSec
> consultants, this is the only OWASP document they'll read, so things that
> aren't in it won't get applied.  Leaving proactive controls out entirely
> from consideration for inclusion seems unfortunate in that light.
>
>
>
> Cheers
>
>
>
> Rory
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170804/766d00d7/attachment-0001.html>


More information about the Owasp-topten mailing list