WebApp Sec mailing list archives
RE: OWASP Top Ten - dev process
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 13 Jul 2005 13:12:19 -0500
Per previous email I don't mean to ditch the value of a Top 10 Issues but like the conversation that was ramping up before OWASP London add other T10 or T2 or etc docs. I think we all agree that the T10 is great for visibility; the question is what it is being used for today. Today it has become a training guide, an assessment guide, and a certification checklist for products and for people's software, which I think is beyond the scope of the T10. This is exactly what has happened with the SANS T20. </$0.02> -ae
-----Original Message----- From: Michael Silk [mailto:michaelslists () gmail com] Sent: Tuesday, July 12, 2005 8:40 PM To: Evans, Arian Cc: Mark Curphey; webappsec () securityfocus com Subject: Re: OWASP Top Ten - dev process On 7/13/05, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:[ ...] A Top-10 retooling that reflects and communicates this fact would help the FUD and benefit everyone. Less emphasis on XSS and more on how to build reusable unit tests/build software. Security tests for unit testing are cheap, right, I/O tests only need to be built once to work across a wide variety of application conditions based upon data type of course.But isn't the the _whole point_ of a "Top Ten" is that it quickly and easily lists the 'visible' problems [i.e not the cause]? I mean, you could make it a Top 2 otherwise: 1) Bad Programming 2) Bad Design ... It covers everything; easy to interpret and hence fail or pass as you like. imho an OWASP "Top Ten" shouldn't really cover _my_ development procedures; only the problems exposed by them. Anyway, maybe i've missed the email where this was being discussed; heading over to the owasp archive now :) -- MichaelNot so with business-logic specific tests, e.g.-"Rob's Report". -ae-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Monday, July 11, 2005 7:11 AM To: 'Jeff Robertson'; webappsec () securityfocus com Subject: RE: OWASP Top Ten - My Case For Updating It Hallelujah brother ! -----Original Message----- From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] Sent: Monday, July 11, 2005 7:58 AM To: 'Mark Curphey'; webappsec () securityfocus com Cc: 'Jeff Williams' Subject: RE: OWASP Top Ten - My Case For Updating It-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] If the problem of web application security is poor softwarequality,it is a natural conclusion that the solution is to build better software. Not once in the top ten does the list address thefact thatthe majority of software is built without a design, security requirements or a repeatable software securitydevelopment process.I would go so far as to say that unless a developmentshop is alreadyfollowing a process (I don't want to start waterfall vs. RUP vs. XP wars here) to keep plain old functionality bugs down to a minimum, they have no hope of producing secure software. If a software company haven't even figured out that their developers need to be doing unit tests, then the idea that they could successfully implement any sort of security testing is just putting the cart before the horse.The information transmitted in this e-mail is intended onlyfor the addressee and may contain confidential and/or privileged material.Any interception, review, retransmission, dissemination, orother use of, or taking of any action upon this information by persons or entitiesother than the intended recipient is prohibited by law andmay subject them to criminal or civil liability. If you received this communicationin error, please contact us immediately at 816.421.6611,and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 12)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- Re: OWASP Top Ten - dev process Andrew van der Stock (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - dev process Jeff Robertson (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)