Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: OWASP Top Ten - My Case For Updating It

RE: OWASP Top Ten - My Case For Updating It

From: Mark Curphey <mark_at_curphey.com>
Date: Sun, 10 Jul 2005 09:36:28 -0400

With respect I disagree about your disagreement ;-)

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-
29,GGLD:en&q=owasp+and+pci

First link (view HTML for easier browsing) and look for Section 6.5.

It may be implied but without any credible alternatives, implication is
really a requirement.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml_at_gmail.com]
Sent: Sunday, July 10, 2005 2:25 AM
To: Mark Curphey
Cc: webappsec_at_securityfocus.com; Jeff Williams
Subject: Re: OWASP Top Ten - My Case For Updating It

On 7/9/05, Mark Curphey <mark_at_curphey.com> wrote:
> I think the OWASP Top Ten needs a serious re-think.
i agree!!! :)

> novice companies will use the Top Ten as a testing yard stick. The PCI
> adoption is a dangerous issue that demonstrates this point. When
> MasterCard were hacked the first thing the company did was to say they
> passed the PCI tests. This will be the case with the OWASP Top Ten.

i disagree on this point. I don't think this will ever be the case.
PCI is a standard that Merchants and Service Providers are "required"
to follow. This is not the case of the OWASP Top Ten. OWASP does not require
any website to implement the Top 10, neither can it. Thus OWASP Top 10 can
not be used as a scapegoat. 

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Received on Jul 10 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]