Secure Coding mailing list archives
[WEB SECURITY] RE: I have not seen many people comment
From: robert at webappsec.org (robert at webappsec.org)
Date: Wed, 21 Apr 2010 20:43:13 -0400 (EDT)
Jim, The WASC Threat Classification v2 is a classification of attacks and weaknesses, not remediation's. This is stated in our definition. "The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users." I believe this thread was about constructive conversation on the owasp top ten, and the impact of using it in the real world, not about the WASC TCv2. However if you have specific suggestions please send them directly to me, or via the instructions within that document, we will listen to and evaluate *all* feedback once we kickoff the next update phase. Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/
My problem with WASC T2 is that it does not discuss remediation. Is this coming soon? - JimHello Matt, My only real concern is that the owasp top ten is now based on 'Risks' and has removed information/data disclosure/leakage. Speaking as someone who has worked in a risk management team, I see the leakage of customer/sensitive data as one of the most serious "Risks" that exist for a company, and it is something that is happening more and more. I brought this to the attention of the Top Ten List back in November (see #5) https://lists.owasp.org/pipermail/owasp-topten/2009-November/000487.html and it wasn't really addressed. If the top ten was based on attacks and weaknesses (or just vulnerabilities) rather than 'risks' then I could see the argument for removal. Other than that, it is nice to see this document maturing/improving. Regarding your comment on open redirects I've seen these many times in the real worldand they ARE being used by individuals to phish users. CSRF was used by the samy worm (not what I'd call a well organized motivated attacker as much as a Poc) in combination with xss so I'd say it is used by both audiences (the abuse case is really application/functionality specific). Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: multipart/alternative; boundary="----=_NextPart_001_02D8_01CAE13B.A677CE70" ------=_NextPart_001_02D8_01CAE13B.A677CE70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I have not seen many people comment on the new OWASP top Ten. What does every one think. I blogged about it from my perspective. I am interested in hearing about other people's experience with it. http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to p-10-in.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy <mailto:mparsons1980 at gmail.com> mailto:mparsons1980 at gmail.com <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com <http://www.o2-ounceopen.com/o2-power-users/> http://www.o2-ounceopen.com/o2-power-users/ <http://www.linkedin.com/in/parsonsconsulting> http://www.linkedin.com/in/parsonsconsulting <http://parsonsisconsulting.blogspot.com/> http://parsonsisconsulting.blogspot.com/ <http://www.vimeo.com/8939668> http://www.vimeo.com/8939668 <http://twitter.com/parsonsmatt> http://twitter.com/parsonsmatt 0_0_0_0_250_281_csupload_6117291 untitled ------=_NextPart_001_02D8_01CAE13B.A677CE70 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-priority:99; mso-style-link:"Balloon Text Char"; margin:0in; margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif";} span.BalloonTextChar {mso-style-name:"Balloon Text Char"; mso-style-priority:99; mso-style-link:"Balloon Text"; font-family:"Tahoma","sans-serif";} span.EmailStyle19 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"3074" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><span style=3D'color:#1F497D'>I have not seen many = people comment on the new OWASP top Ten. What does every one think. I blogged = about it from my perspective. I am interested in hearing about other = people’s experience with it. <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-= to-owasp-top-10-in.html">http://parsonsisconsulting.blogspot.com/2010/04/= parsons-response-to-owasp-top-10-in.html</a><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <div> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Matt Parsons, MSM, = CISSP<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>315-559-3588 = Blackberry<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>817-294-3789 Home = office<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>"Do Good and = Fear No Man" <o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Fort Worth, = Texas<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>A.K.A The Keyboard = Cowboy<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"mailto:mparsons1980 at gmail.com"><span = style=3D'color:blue'>mailto:mparsons1980 at gmail.com</span></a><o:p></o:p><= /span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.parsonsisconsulting.com"><span = style=3D'color:blue'>http://www.parsonsisconsulting.com</span></a><o:p></= o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.o2-ounceopen.com/o2-power-users/"><span = style=3D'color:blue'>http://www.o2-ounceopen.com/o2-power-users/</span></= a><o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.linkedin.com/in/parsonsconsulting"><span = style=3D'color:blue'>http://www.linkedin.com/in/parsonsconsulting</span><= /a><o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://parsonsisconsulting.blogspot.com/"><span = style=3D'color:blue'>http://parsonsisconsulting.blogspot.com/</span></a><= o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.vimeo.com/8939668"><span = style=3D'color:blue'>http://www.vimeo.com/8939668</span></a><o:p></o:p></= span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://twitter.com/parsonsmatt"><span = style=3D'color:blue'>http://twitter.com/parsonsmatt</span></a><o:p></o:p>= </span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = width=3D80 height=3D90 id=3D"Picture_x0020_1" = src=3D"cid:image001.jpg at 01CAE13B.A4FF1120" alt=3D"0_0_0_0_250_281_csupload_6117291"><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = width=3D75 height=3D75 id=3D"Picture_x0020_2" = src=3D"cid:image002.jpg at 01CAE13B.A4FF1120" alt=3Duntitled><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> </span><o:p></o:p></p> </div> <p class=3DMsoNormal><o:p> </o:p></p> </div> </body> </html> ------=_NextPart_001_02D8_01CAE13B.A677CE70-- ------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: image/jpeg; name="image001.jpg" Content-Transfer-Encoding: base64 Content-ID:<image001.jpg at 01CAE13B.A4FF1120> /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABaAFADASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCbHNOA oxzTsADmsyhKrTalaW7FZJwGHUDJNV9Xv/s0XlRk+Y4/IVzixSStwckmkM6lNZsHOPtAH+8CKuxy LKoZGDKe6nNcqmjXEi7ghp6W9/prFo98Y745B+ooK5WdVg0FTWfp2sx3REMibZsdjw1aWT/c/Wgk jINJg5qQlv7n6035s/c/WmITbzSleKeF5pLj5YJGHUKTQM5a4zfajIRkrnH4VsWFhHb4bZuz+YrL 00fvGcjpzXQWzS4D/u0HbzD1qJM3pxW5dQArgrj8KgubcMhyuRVy3uFZcTFM+q1WvbjzD8sywxAY LEVFzosjlNQtnspxcQjBVg1dRbt59vHKOjqG/Osq/tme2fbJ5yEfe9K0dBQnRrbP90/zNaJnJUjZ ljZTSlWtlN2DNMyIlXmm3AUQPuOF2nNSqOaSWPzI2Q/xKRTYzn7GFbe6eP72CMVspaJK2+RA5689 qzrcrJNCwxuA2t65FdDbrsjyw7VkztgkUGgZrtYwcZ5yaSK2LtJGyCRe6noanOyWctJgAHgZ5pYi sE+YyGQ/w56UjWyKksAijcBdoPUVb0uMJpsC+i/1p98A0RIGKktEKWkSnqFFVE5a9h5FMIqU0w1Z zECDmn4/eD6U1B8wqUD96v0NMDD1C3Sx1OKdMhZidw7Zret5VkgPfI4qnrdoLjTJD0aIb1P0rP0y +bYIZDhsZU+oqJI6KUjXtrZ4nZoZNgJycgGi5gkdlZ5NwUggBcU63mUnDvt9qS8mjVflck+lSdN1 YZeOHCRjq3H51cxgYHQVgNdn7QknJSJtzY71vQyx3ECTRMGjkXcpHcVcVocdV3YhphqRhTDwaZkQ oPnH1qSR1jkVnYKu05JOAOlcVf8Aj2NMrp8BLZ+/L0/KuYvtbvtTkzc3Lyei5wB9BVpE3O917xZZ W9tJa2ji4mdSu5furn37motISO/sIwDhgBtPevOjKS3XgV1/hC8DRSQs3KnIrWFNS0D2jhqdUguI fklTfjvikdJ7o+XGu0HqavwX8RULcgDA/wBYen40XN6m3y7crt7uO/0qFQnzctjd1ocvNcx9R8qw s3GQRGpJNcdo/jK+0hjHhZ7YsT5Tn7ufQ9q1vFt6Y9O2Kcea+0e4HWuCkyGz61tUpqFoo5lUdR8z PT7T4gaTcYFxHNbE9yNy/mK3LXUbK/UNaXUUw9EbJ/LrXie4g0+K4kikDRuysDwVODWPKVcYXO4/ WhXZScClwM9BTgBnoKsQgbJrd8MzbNSWMniUbfx7ViqB6CtLSABqduR/z1X+dXTdpImSujuxMy3s EdwSkbD5GycE9wcdP1rTuxifyxGEXaPu9CfWpLKON9XgDIrDzV6j/aWk2jfc8Di5cfhgVte1exjv TOC8azA30MAPEceSPcn/AOsK5ZuRiuh8WDOu3Gf9n/0EVhlRtPArOrrNmsPhK5yfwoA5FSEDI4FO 2jI4HWsij//Z ------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: image/jpeg; name="image002.jpg" Content-Transfer-Encoding: base64 Content-ID:<image002.jpg at 01CAE13B.A4FF1120> /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABLAEsDASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2Wmlh xzQ7ALknHua5tb+81rUkOn3DQxW8m2eJxtZCDzuGPmDDjHBHWgTLGoeIJI7pILKxlumDlH24yhUj cMeu07h2NRNpGsXtlGtzf7JlkkyVyBgnCsNpHI6gdOa3khRJHkSNVZ8bmA5OOmakHFAWMBvCsbz3 jtdTbb2RXkA4wVbcMHt0pYtAvLSWy+zai/2e0ZiYnzmQMSSSc8nkYz7mt+igLHPJeajpMUa3yyXI IyzjGQzNhIw3APqSa17HUIL+1jniPDrnaeo5wf1BqaWGOZCkiK6MMFWGQR9KyTocFtq41RLhoESL bJGvAYDG0H0VRn5RxzQGqNqiqWm6pb6pbme3DhA5UF1xnB6j1FXaBmHr1zOTBaQIriV9siSRkpIp 6oWHCnHIzx71p2lrFawrFEG2gdWYsx9Mk8njjn0rH0d0utbv5VhvIHVyJPNfCSdlwn0HBroAMDFA lrqcR428b3/hjVILS0tbeVJYPMJl3ZByR2PtXO/8Lb1n/oH2X/j/APjTfi1/yMVp/wBeg/8AQjXC 1RzTnJSsjvP+Ft6z/wBA+x/8f/xo/wCFt6z/ANA+x/8AH/8AGuDoosR7SXc71PizrDSop0+ywzAf x+v1r1fAZee4r5uh/wBfH/vr/OvpIfdH0pNG9KTle5z99/xK9XtpYEuJTIPKjtoUVYkTqx6de/b0 rfDZAI5FUdYH/Esmb9+Qo3Fbdtrv/sg+9V9Ku3g0yCF7C5jMa7QknzMAOBk9+MUjTYreF3jcTGK8 urlcJzOQfLJBJTjuM810NQQSK0skaoy+WQCSuAxIzkHvU9A0eR/Fr/kYrP8A69B/6E1cLXefFdGk 8TWMaKWd7YKqjuS5wK5efS7C3nNo2qFrxGCMqwEx7s4Kh88455xjiqRyTV5My6K2rnw8lqI1e+xJ NO0MR8k+VkPtO58/K3fHpTh4ft/tN5E15cgWUYMo+xHzMlwuAueQc5B9KZPKzGh/18f++v8AOvpI fdH0r56vdOGmaj9ma5SSSOcIVCkEDgg89OvSvoVfuj6VLNqPUhvGVbOZnwFEbFs56Y9ufyrzyK7s 7ZPLbUbVzuJ3NDcOcEkjndyOeD6V6PKQEYnoBzxmq0MdrNCkkcUYRlBUGPBx24PSkbNEV7eyWjJi JBF1eaRsKo9Pr0xV2KRZY1dCGVhkMO4qO6tYrmILJGr7TuTcMgN2qlZXUlu6213MWkKqWyAAjH+E Y65PI9BQPqed/FVpU8TWEsSvuS2DKwXOCHOK5me/sp7hr06VcJdu/mNtmPlB85LBduefTOOa982o 4yyqfqKPLj/uL+VO5m6eu54Q2sQsl6Bp1wWvnJmQynyyC+7IXHDY4zmnS6/Itm9taW93F+4EKTNK TIo3h+WAHAxgCvdfKj/55r+VHlR/881/Ki4vZvufOUaStcxsUkYmQEkgknmvo8fdH0pvlRf880/I VWu75bb92pVpmH7uMnG49gT0GTxk0FQhyiXN8YnCRxeex4Ko43Ke2Qe1WwOOSKzdOtHeX7fdwxi5 Zdm4Lhtvbd6HtxWngelIsWql7Yx3UbcBJSpUSqBvUH0PardFAzIiS8sI4beJFlUFY0DE/dAyzE9u egq9b3sMyylSVELFXLDABHXmrB6Gqt5FGLG4QKArI2QO+RzQIkS8t5NvlzRsGG4YYcj1pp1C1whW ZG3527TnOBz0rEv7WCHU4Yo4wqGAx7R/dIfP8utO0ALd2sV3OqvP50h34xghdv8AICgLlt9Va5jj +xoR58e+GRhkEg8qR247+9SW+n+cVnug+9trbC/Tvtb+8Ac49Kuw28NtFshjCLycD1qVeg+lAC0U UUDP/9k= ------=_NextPart_000_02D7_01CAE13B.A677CE70--_______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________-- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net
Current thread:
- I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it from my perspective. I am interested in hearing about other peoples experience with it Matt Parsons (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro robert at webappsec.org (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro Jim Manico (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment robert at webappsec.org (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro Jim Manico (Apr 21)
- [WEB SECURITY] RE: I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it fro robert at webappsec.org (Apr 21)