WebApp Sec mailing list archives

Re: OWASP Top Ten - My Case For Updating It

From: Ralf Durkee <rd () rd1 net>
Date: Sat, 09 Jul 2005 22:07:28 -0400


Mark Curphey wrote:

I think the OWASP Top Ten needs a serious re-think. Here is my simple case

for discussion / consideration.

. . . <snip> . . .

Proposal for improvement

Create a set of T10's that are fit for purpose;

T10 - Attack Patterns
T10 - Common Vulnerabilities
T10 - Root Causes of Insecure Web ApplicationsT10 - Things a company should have as part of its software security program
T10 - Things to look for in a protection system
T10 - Things to look for in an assessment system

The FUD in the application security marketing is continuing to increase at
an alarming rate and measures like this in my humble opinion are urgently
needed to recover some credibility and prevent a pandemic.
Cheers,

Mark

Wow, well thought out and I think on target. At least I agree with 95%of it, especially the FUD and misuse. Everyone is looking for a list tocheck off to ensure they are "covered". It has been too much of anobstacle in too many situations for me to convince my clients managementto make the jump from "PCI requires OWASP 10 top" to doing basics likedesign and code reviews. They are too expensive in the typicalmanagement view and there's no accepted standard (such as the OWASP top10) or regulation that requires the reviews. Such views lead todecisions such as "we will run an web scanner and were covered", or"we'll hire an inexperienced pen tester and were covered".

One question remains for me is that I'm NOT seeing a significantdifference between #1 "T10 Attack patterns" and #2 "T10 Commonvulnerabilities", isn't it just a matter of wording as to whether eachof these is an attack pattern or a vulnerability? I'm also curious tosee as we work these out, if "T10 root causes ... " and "T10 things acompany should do... ", may have a 1-to-1 mapping.

There a huge demand for the above, especially I think "T10 Things acompany should have ..." however one fall back to limiting the list to10, is that it will become the new "Do this and we are covered" thoughtprocess, but on the other hand we need to start somewhere, and certainlythe web would be much better off if we could get companies to implementa top 10 things to do.



-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net

Current thread:

OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
  - Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
  - Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
  - RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)

(Thread continues...)