WebApp Sec mailing list archives

Re: OWASP Top Ten - My Case For Updating It

From: Saqib Ali <docbook.xml () gmail com>
Date: Sat, 9 Jul 2005 23:24:34 -0700

On 7/9/05, Mark Curphey <mark () curphey com> wrote:

I think the OWASP Top Ten needs a serious re-think.

i agree!!! :)

novice companies will use the Top Ten as a testing yard stick. The PCI
adoption is a dangerous issue that demonstrates this point. When MasterCard
were hacked the first thing the company did was to say they passed the PCI
tests. This will be the case with the OWASP Top Ten.


i disagree on this point. I don't think this will ever be the case.
PCI is a standard that Merchants and Service Providers are "required"
to follow. This is not the case of the OWASP Top Ten. OWASP does not
require any website to implement the Top 10, neither can it.  Thus
OWASP Top 10 can not be used as a scapegoat.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/

Current thread:

OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
  - Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
  - Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
  - RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
  - RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
    - Re: OWASP Top Ten - My Case For Updating It Dean H. Saxe (Jul 11)
- Re: Re: OWASP Top Ten - My Case For Updating It rajeshkumardilli (Jul 11)

(Thread continues...)