Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: OWASP Top Ten - The certification and blame problem

RE: OWASP Top Ten - The certification and blame problem

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Tue, 12 Jul 2005 17:28:45 -0500

I can say first hand that Mark is right on the Mark
about blame, but worse, how many OWASP "Top 10 Certified"
people will "throw out the baby with the bathwater" once
compromised?

I have numerous clients that want "Certified by my employer"
on the OWASP Top 10. Guess what happens when they are broken.

Blame is very important in a modern society. The American
legal system is living proof.

First they'll blame us. Then we'll show how we covered
all the Top 10. Then they'll blame OWASP.

(keep in mind this is a silly illustrative example and not
reflective of the way my organization tests software or
deals with clients)

-ae

> -----Original Message-----
> From: Saqib Ali [mailto:docbook.xml_at_gmail.com]
> Sent: Sunday, July 10, 2005 1:25 AM
> To: Mark Curphey
> Cc: webappsec_at_securityfocus.com; Jeff Williams
> Subject: Re: OWASP Top Ten - My Case For Updating It
>
> On 7/9/05, Mark Curphey <mark_at_curphey.com> wrote:
> > I think the OWASP Top Ten needs a serious re-think.
> i agree!!! :)
>
> > novice companies will use the Top Ten as a testing yard
> stick. The PCI
> > adoption is a dangerous issue that demonstrates this point.
> When MasterCard
> > were hacked the first thing the company did was to say they
> passed the PCI
> > tests. This will be the case with the OWASP Top Ten.
>
> i disagree on this point. I don't think this will ever be the case.
> PCI is a standard that Merchants and Service Providers are "required"
> to follow. This is not the case of the OWASP Top Ten. OWASP does not
> require any website to implement the Top 10, neither can it. Thus
> OWASP Top 10 can not be used as a scapegoat.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/
>
>

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Received on Jul 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]