Re: OWASP Top Ten - The certification and blame problem

["Jeff Williams" <jeff.williams () aspectsecurity com>]

The Top Ten is just that -- a list of the most serious vulnerability areas
in web applications.  It isn't a standard (like ISO) that can be certified
against as the categories are loose and there is no standard evaluation
process.  It takes some interpretation to apply the Top Ten to an
application.

But if a company wants to claim Top Ten compliance, that's great.  That
means that we've established application security as a differentiator in the
market.   (Also, they should become OWASP members).  But they would be
foolish to try to blame OWASP for vulnerabilities that aren't in the Top
Ten.  A Top Ten, by it's nature, is just the tip of the iceburg.

Also, more practically, what are the odds that they really did address all
of the Top Ten. It is *exceedingly* rare to see an application that doesn't
have problems in multiple Top Ten areas.

--Jeff

----- Original Message ----- 
From: "Eoin Keary" <eoinkeary () gmail com>
To: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Cc: "Saqib Ali" <docbook.xml () gmail com>; "Mark Curphey" <mark () curphey com>;
<webappsec () securityfocus com>; "Jeff Williams" <jeff.williams () owasp com>
Sent: Wednesday, July 13, 2005 7:04 AM
Subject: Re: OWASP Top Ten - The certification and blame problem


Hi,
Just being the Devils advocate,
Is the Top 10 just a guide or a policy?
If it is a guideline its to be used as a Guide, not a certification or
policy?

How can OWASP certify companies (Like ISO) and ensure they follow App
Sec best practice?
OWASP has no way to tell if a company that claims to be OWASP Top 10
certified is actually adhering to OWASP best practice.

ISO 17799 performs regular compliance checks (and a nice regular
revenue stream). There are certified ISO 17799 Auditors. OWASP Top 10
does not have any of this so saying Top 10 Certified is BS ??

So a enterprise that was attacked with success claiming that they were
"Top 10 certified" is bull as we dont certify, do we? The best one can
say is that they are compliant and at that there is not way of
prooving this?

What u all think?

Eoin





On 12/07/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:
> I can say first hand that Mark is right on the Mark
> about blame, but worse, how many OWASP "Top 10 Certified"
> people will "throw out the baby with the bathwater" once
> compromised?
>
> I have numerous clients that want "Certified by my employer"
> on the OWASP Top 10. Guess what happens when they are broken.
>
> Blame is very important in a modern society. The American
> legal system is living proof.
>
> First they'll blame us. Then we'll show how we covered
> all the Top 10. Then they'll blame OWASP.
>
> (keep in mind this is a silly illustrative example and not
> reflective of the way my organization tests software or
> deals with clients)
>
> -ae
>
> > -----Original Message-----
> > From: Saqib Ali [mailto:docbook.xml () gmail com]
> > Sent: Sunday, July 10, 2005 1:25 AM
> > To: Mark Curphey
> > Cc: webappsec () securityfocus com; Jeff Williams
> > Subject: Re: OWASP Top Ten - My Case For Updating It
> >
> > On 7/9/05, Mark Curphey <mark () curphey com> wrote:
> > > I think the OWASP Top Ten needs a serious re-think.
> > i agree!!! :)
> >
> > > novice companies will use the Top Ten as a testing yard
> > stick. The PCI
> > > adoption is a dangerous issue that demonstrates this point.
> > When MasterCard
> > > were hacked the first thing the company did was to say they
> > passed the PCI
> > > tests. This will be the case with the OWASP Top Ten.
> >
> > i disagree on this point. I don't think this will ever be the case.
> > PCI is a standard that Merchants and Service Providers are "required"
> > to follow. This is not the case of the OWASP Top Ten. OWASP does not
> > require any website to implement the Top 10, neither can it.  Thus
> > OWASP Top 10 can not be used as a scapegoat.
> >
> > --
> > In Peace,
> > Saqib Ali
> > http://www.xml-dev.com/blog/
> >
> >
>
>
> The information transmitted in this e-mail is intended only for the
> addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use of,
> or taking of any action upon this information by persons or entities
> other than the intended recipient is prohibited by law and may subject
> them to criminal or civil liability. If you received this communication
> in error, please contact us immediately at 816.421.6611, and delete the
> communication from any computer or network system.