WebApp Sec mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: Ralf Durkee <rd () rd1 net>
Date: Sat, 09 Jul 2005 22:07:28 -0400
Mark Curphey wrote:
I think the OWASP Top Ten needs a serious re-think. Here is my simple casefor discussion / consideration.
. . . <snip> . . .
Proposal for improvement Create a set of T10's that are fit for purpose; T10 - Attack Patterns T10 - Common VulnerabilitiesT10 - Root Causes of Insecure Web Applications T10 - Things a company should have as part of its software security programT10 - Things to look for in a protection system T10 - Things to look for in an assessment system The FUD in the application security marketing is continuing to increase at an alarming rate and measures like this in my humble opinion are urgentlyneeded to recover some credibility and prevent a pandemic.Cheers, Mark
Wow, well thought out and I think on target. At least I agree with 95% of it, especially the FUD and misuse. Everyone is looking for a list to check off to ensure they are "covered". It has been too much of an obstacle in too many situations for me to convince my clients management to make the jump from "PCI requires OWASP 10 top" to doing basics like design and code reviews. They are too expensive in the typical management view and there's no accepted standard (such as the OWASP top 10) or regulation that requires the reviews. Such views lead to decisions such as "we will run an web scanner and were covered", or "we'll hire an inexperienced pen tester and were covered".
One question remains for me is that I'm NOT seeing a significant difference between #1 "T10 Attack patterns" and #2 "T10 Common vulnerabilities", isn't it just a matter of wording as to whether each of these is an attack pattern or a vulnerability? I'm also curious to see as we work these out, if "T10 root causes ... " and "T10 things a company should do... ", may have a 1-to-1 mapping.
There a huge demand for the above, especially I think "T10 Things a company should have ..." however one fall back to limiting the list to 10, is that it will become the new "Do this and we are covered" thought process, but on the other hand we need to start somewhere, and certainly the web would be much better off if we could get companies to implement a top 10 things to do.
-- Ralf Durkee, CISSP, GSEC, GCIH Principal Consultant http://rd1.net
Current thread:
- OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
(Thread continues...)