Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: OWASP Top Ten - My Case For Updating It

Re: OWASP Top Ten - My Case For Updating It

From: Ralf Durkee <rd_at_rd1.net>
Date: Sat, 09 Jul 2005 22:07:28 -0400

Mark Curphey wrote:
> I think the OWASP Top Ten needs a serious re-think. Here is my simple case
> for discussion / consideration.
>
. . . <snip> . . .
>
> Proposal for improvement
>
> Create a set of T10's that are fit for purpose;
>
> T10 - Attack Patterns
> T10 - Common Vulnerabilities
> T10 - Root Causes of Insecure Web Applications
> T10 - Things a company should have as part of its software security program
> T10 - Things to look for in a protection system
> T10 - Things to look for in an assessment system
>
> The FUD in the application security marketing is continuing to increase at
> an alarming rate and measures like this in my humble opinion are urgently
> needed to recover some credibility and prevent a pandemic.
>
> Cheers,
>
> Mark

Wow, well thought out and I think on target. At least I agree with 95%
of it, especially the FUD and misuse. Everyone is looking for a list to
check off to ensure they are "covered". It has been too much of an
obstacle in too many situations for me to convince my clients management
to make the jump from "PCI requires OWASP 10 top" to doing basics like
design and code reviews. They are too expensive in the typical
management view and there's no accepted standard (such as the OWASP top
10) or regulation that requires the reviews. Such views lead to
decisions such as "we will run an web scanner and were covered", or
"we'll hire an inexperienced pen tester and were covered".

One question remains for me is that I'm NOT seeing a significant
difference between #1 "T10 Attack patterns" and #2 "T10 Common
vulnerabilities", isn't it just a matter of wording as to whether each
of these is an attack pattern or a vulnerability? I'm also curious to
see as we work these out, if "T10 root causes ... " and "T10 things a
company should do... ", may have a 1-to-1 mapping.

There a huge demand for the above, especially I think "T10 Things a
company should have ..." however one fall back to limiting the list to
10, is that it will become the new "Do this and we are covered" thought
process, but on the other hand we need to start somewhere, and certainly
the web would be much better off if we could get companies to implement
a top 10 things to do.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net
Received on Jul 09 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]