WebApp Sec mailing list archives
RE: OWASP Top Ten - dev process
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 13 Jul 2005 13:04:12 -0500
Admitting that I helped get this line of thinking rolling, is the top ten really the place to tell people how to "build software" (especially enterprise class)? There are entire bookshelves at Barnes and Noble about that.
Yes you are right. Definitely not telling folks how to build software. Lots of folks though are looking for help in understanding how to add security to software building and for folks like us to share pragmatic wisdom. Every time I give an example of why most account self-service portals are bad to developers or the business they go "oh, yeah, duh" but the obvious issues aren't top-10 and aren't written down anywhere that I know of. By retooling I meant something along Curphey's lines of creating some new documents that cover these other areas. "OWASP T10 Threats of Insecure Software" [...] "OWASP T10 Knowledge Nuggets to Building Secure Software" T1--how to use .NET regex validators or Java regex whatevers T2--how not to use cookies T3--how not to build dynamic queries Something like that. Joel on software style would be useful from my perspective; causal language, essay-style. Of course there are starting to be some good books out there like Sverre's "Innocent Code" but I was thinking of material with more platform-specific code examples. Anyway I'll leave that for the T10 mailing list. -ae The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 12)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- Re: OWASP Top Ten - dev process Andrew van der Stock (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - dev process Jeff Robertson (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)