WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: OWASP Top Ten - dev process

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 13 Jul 2005 13:12:19 -0500
Per previous email I don't mean to ditch the value
of a Top 10 Issues but like the conversation that
was ramping up before OWASP London add other T10
or T2 or etc docs.

I think we all agree that the T10 is great for visibility;
the question is what it is being used for today.

Today it has become a training guide, an assessment
guide, and a certification checklist for products
and for people's software, which I think is beyond
the scope of the T10. 

This is exactly what has happened with the SANS T20.

</$0.02>

-ae 


-----Original Message-----
From: Michael Silk [mailto:michaelslists () gmail com] 
Sent: Tuesday, July 12, 2005 8:40 PM
To: Evans, Arian
Cc: Mark Curphey; webappsec () securityfocus com
Subject: Re: OWASP Top Ten - dev process

On 7/13/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:

[ ...]

A Top-10 retooling that reflects and communicates
this fact would help the FUD and benefit everyone.
Less emphasis on XSS and more on how to build reusable
unit tests/build software. Security tests for unit
testing are cheap, right, I/O tests only need to be
built once to work across a wide variety of application
conditions based upon data type of course.


But isn't the the _whole point_ of a "Top Ten" is that it quickly and
easily lists the 'visible' problems [i.e not the cause]?

I mean, you could make it a Top 2 otherwise:
1) Bad Programming
2) Bad Design

...

It covers everything; easy to interpret and hence fail or 
pass as you like.

imho an OWASP "Top Ten" shouldn't really cover _my_ development
procedures; only the problems exposed by them.

Anyway, maybe i've missed the email where this was being discussed;
heading over to the owasp archive now :)

-- Michael



Not so with business-logic specific tests, e.g.-"Rob's Report".

-ae


-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com]
Sent: Monday, July 11, 2005 7:11 AM
To: 'Jeff Robertson'; webappsec () securityfocus com
Subject: RE: OWASP Top Ten - My Case For Updating It

Hallelujah brother !

-----Original Message-----
From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com]
Sent: Monday, July 11, 2005 7:58 AM
To: 'Mark Curphey'; webappsec () securityfocus com
Cc: 'Jeff Williams'
Subject: RE: OWASP Top Ten - My Case For Updating It


-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com]


If the problem of web application security is poor software

quality,

it is a natural conclusion that the solution is to build better
software. Not once in the top ten does the list address the

fact that

the majority of software is built without a design, security
requirements or a repeatable software security 

development process.


I would go so far as to say that unless a development 

shop is already

following a process (I don't want to start waterfall vs. RUP
vs. XP wars
here) to keep plain old functionality bugs down to a minimum,
they have no
hope of producing secure software.

If a software company haven't even figured out that their
developers need to
be doing unit tests, then the idea that they could
successfully implement
any sort of security testing is just putting the cart before
the horse.






The information transmitted in this e-mail is intended only 

for the addressee and may contain confidential and/or 
privileged material.

Any interception, review, retransmission, dissemination, or 

other use of, or taking of any action upon this information 
by persons or entities

other than the intended recipient is prohibited by law and 

may subject them to criminal or civil liability. If you 
received this communication

in error, please contact us immediately at 816.421.6611, 

and delete the communication from any computer or network system.
Previous By Date Next
Previous By Thread Next

Current thread: